.amazonaws.com/`.
The following table lists the required ports.
|
|
| Source | Destination | Port | For more information, see |
| --- |--- |--- |--- |
| Source data center | Amazon S3 service URLs | 443 (TCP) | [Communication over TCP port 443](https://docs.aws.amazon.com/mgn/latest/ug/Network-Requirements.html#TCP-443) |
| Source data center | AWS Region-specific console address for Application Migration Service | 443 (TCP) | [Communication between the source servers and Application Migration Service over TCP port 443](https://docs.aws.amazon.com/mgn/latest/ug/Network-Requirements.html#Source-Manager-TCP-443) |
| Source data center | Staging area subnet | 1500 (TCP) | [Communication between the source servers and the staging area subnet over TCP port 1500](https://docs.aws.amazon.com/mgn/latest/ug/Network-Requirements.html#Communication-TCP-1500) |
| Staging area subnet | AWS Region-specific console address for Application Migration Service | 443 (TCP) | [Communication between the staging area subnet and Application Migration Service over TCP port 443](https://docs.aws.amazon.com/mgn/latest/ug/Network-Requirements.html#Communication-TCP-443-Staging) |
| Staging area subnet | Amazon S3 service URLs | 443 (TCP) | [Communication over TCP port 443](https://docs.aws.amazon.com/mgn/latest/ug/Network-Requirements.html#TCP-443) |
| Staging area subnet | Amazon Elastic Compute Cloud (Amazon EC2) endpoint of the subnet’s AWS Region | 443 (TCP) | [Communication over TCP port 443](https://docs.aws.amazon.com/mgn/latest/ug/Network-Requirements.html#TCP-443) |
** Limitations**
Application Migration Service isn’t currently available in all AWS Regions and operating systems.
+ [Supported AWS Regions](https://docs.aws.amazon.com/mgn/latest/ug/supported-regions.html)
+ [Supported operating systems](https://docs.aws.amazon.com/mgn/latest/ug/Supported-Operating-Systems.html)
## Architecture
The following diagram illustrates the network architecture for a typical migration. For more information about this architecture, see the [Application Migration Service documentation](https://docs.aws.amazon.com/mgn/latest/ug/Network-Settings-Video.html) and the [Application Migration Service service architecture and network architecture video](https://youtu.be/ao8geVzmmRo).
![\[Network architecture for Application Migration Service for a typical migration\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/21346c0f-0643-4f4f-b21f-fdfe24fc6a8f/images/546598b2-8026-4849-a441-eaa2bc2bf6bb.png)
The following detailed view shows the configuration of interface VPC endpoints in the staging area VPC to connect Amazon S3 and Application Migration Service.
![\[Network architecture for Application Migration Service for a typical migration - detailed view\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/21346c0f-0643-4f4f-b21f-fdfe24fc6a8f/images/bd0dfd42-4ab0-466f-b696-804dedcf4513.png)
## Tools
+ [AWS Application Migration Service](https://docs.aws.amazon.com/mgn/latest/ug/what-is-application-migration-service.html) simplifies, expedites, and reduces the cost of rehosting applications on AWS.
+ [Interface VPC endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html) enable you to connect to services that are powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
## Epics
### Create endpoints for Application Migration Service, Amazon EC2, and Amazon S3
| Task | Description | Skills required |
| --- | --- | --- |
| Configure the interface endpoint for Application Migration Service. | The source data center and staging area VPC connect privately to the Application Migration Service control plane through the interface endpoint that you create in the target staging area VPC. To create the endpoint:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/connect-to-application-migration-service-data-and-control-planes-over-a-private-network.html)For more information, see [Access an AWS service using an interface VPC endpoint in the Amazon VPC](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html) documentation. | Migration lead |
| Configure the interface endpoint for Amazon EC2. | The staging area VPC connects privately to the Amazon EC2 API through the interface endpoint that you create in the target staging area VPC. To create the endpoint, follow the instructions provided in the previous story.[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/connect-to-application-migration-service-data-and-control-planes-over-a-private-network.html) | Migration lead |
| Configure the interface endpoint for Amazon S3. | The source data center and staging area VPC connect privately to the Amazon S3 API through the interface endpoint that you create in the target staging area VPC. To create the endpoint, follow the instructions provided in the first story.[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/connect-to-application-migration-service-data-and-control-planes-over-a-private-network.html)You use an interface endpoint because gateway endpoint connections cannot be extended out of a VPC. (For details, see the [AWS PrivateLink documentation](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-gateway.html).) | Migration lead |
| Configure the Amazon S3 Gateway endpoint. | During the configuration phase, the replication server has to connect to an S3 bucket to download the AWS Replication Server’s software updates. However, Amazon S3 interface endpoints do not support private DNS names*,* and there is no way to supply an Amazon S3 endpoint DNS name to a replication server. To mitigate this issue, you create an Amazon S3 gateway endpoint in the VPC that the staging area subnet belongs to, and update the staging subnet’s route tables with the relevant routes. For more information, see [Create a gateway endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#create-gateway-endpoint-s3) in the AWS PrivateLink documentation. | Cloud administrator |
| Configure on-premises DNS to resolve private DNS names for endpoints. | The interface endpoints for Application Migration Service and Amazon EC2 have private DNS names that can be resolved in the VPC. However, you also need to configure on-premises servers to resolve private DNS names for these interface endpoints.There are multiple ways to configure these servers. In this pattern, we tested this functionality by forwarding on-premises DNS queries to the Amazon Route 53 Resolver inbound endpoint in the staging area VPC. For more information, see [Resolving DNS queries between VPCs and your network](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-overview-DSN-queries-to-vpc.html) in the Route 53 documentation. | Migration engineer |
### Connect to the Application Migration Service control plane over a private link
| Task | Description | Skills required |
| --- | --- | --- |
| Install AWS Replication Agent by using AWS PrivateLink. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/connect-to-application-migration-service-data-and-control-planes-over-a-private-network.html)Here’s an example for Linux:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/connect-to-application-migration-service-data-and-control-planes-over-a-private-network.html)After you have established your connection with Application Migration Service and installed the AWS Replication Agent, follow the instructions in the [Application Migration Service documentation](https://docs.aws.amazon.com/mgn/latest/ug/migration-workflow-gs.html) to migrate your source servers to your target VPC and subnet. | Migration engineer |
## Related resources
**Application Migration Service documentation**
+ [Concepts](https://docs.aws.amazon.com/mgn/latest/ug/CloudEndure-Concepts.html)
+ [Migration workflow ](https://docs.aws.amazon.com/mgn/latest/ug/migration-workflow-gs.html)
+ [Quick start guide](https://docs.aws.amazon.com/mgn/latest/ug/quick-start-guide-gs.html)
+ [FAQ](https://docs.aws.amazon.com/mgn/latest/ug/FAQ.html)
+ [Troubleshooting](https://docs.aws.amazon.com/mgn/latest/ug/troubleshooting.html)
**Additional resources**
+ [Rehosting your applications in a multi-account architecture on AWS by using VPC interface endpoints](https://docs.aws.amazon.com/prescriptive-guidance/latest/rehost-multi-account-architecture-interface-endpoints/) (AWS Prescriptive Guidance guide)
+ [AWS Application Migration Service – A Technical Introduction](https://www.aws.training/Details/eLearning?id=71732) (AWS Training and Certification walkthrough)
+ [AWS Application Migration Service architecture and network architecture](https://youtu.be/ao8geVzmmRo) (video)
## Additional information
**Troubleshooting ***AWS ***Replication Agent installations on Linux servers**
If you get a **gcc** error on an Amazon Linux server, configure the package repository and use the following command:
```
## sudo yum groupinstall "Development Tools"
```
# Create Infoblox objects using AWS CloudFormation custom resources and Amazon SNS
*Tim Sutton, Amazon Web Services*
## Summary
**Notice**: AWS Cloud9 is no longer available to new customers. Existing customers of AWS Cloud9 can continue to use the service as normal. [Learn more](https://aws.amazon.com/blogs/devops/how-to-migrate-from-aws-cloud9-to-aws-ide-toolkits-or-aws-cloudshell/)
Infoblox Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), and IP address management ([Infoblox DDI](https://www.infoblox.com/products/ddi/)) enables you to centralize and efficiently control a complex hybrid environment. With Infoblox DDI, you can discover and record all network assets in one authoritative IP address management (IPAM) database, in addition to managing DNS on premises and on the Amazon Web Services (AWS) Cloud by using the same appliances.
This pattern describes how to use an AWS CloudFormation custom resource to create Infoblox objects (for example, DNS records or IPAM objects) by calling the Infoblox WAPI API. For more information about the Infoblox WAPI, see the [WAPI documentation](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-infoblox-rest-api.pdf) in the Infoblox documentation.
By using this pattern’s approach, you can obtain a unified view of DNS records and IPAM configurations for your AWS and on-premises environments, in addition to removing manual processes that create records and provision your networks. You can use this pattern’s approach for the following use cases:
+ Adding an A record after creating an Amazon Elastic Compute Cloud (Amazon EC2) instance
+ Adding a CNAME record after creating an Application Load Balancer
+ Adding a network object after creating a virtual private cloud (VPC)
+ Providing the next network range and using that range to create subnets
You can also extend this pattern and use other Infoblox device features such as adding different DNS record types or configuring Infoblox vDiscovery.
The pattern uses a hub-and-spoke design in which the hub requires connectivity to the Infoblox appliance on the AWS Cloud or on premises and uses AWS Lambda to call the Infoblox API. The spoke is in the same or a different account in the same organization in AWS Organizations, and calls the Lambda function by using an AWS CloudFormation custom resource.
## Prerequisites and limitations
**Prerequisites **
+ An existing Infoblox appliance or grid, installed on the AWS Cloud, on premises, or both, and configured with an admin user that can administer IPAM and DNS actions. For more information about this, see [About admin accounts](https://docs.infoblox.com/display/nios86/About+Admin+Accounts) in the Infoblox documentation.
+ An existing DNS authoritative zone that you want to add records on the Infoblox appliance. For more information about this, see [Configuring authoritative zones](https://docs.infoblox.com/display/nios86/Configuring+Authoritative+Zones) in the Infoblox documentation.
+ Two active AWS accounts in AWS Organizations. One account is the hub account and the other account is the spoke account.
+ The hub and spoke accounts must be in the same AWS Region.
+ The hub account’s VPC must connect to the Infoblox appliance; for example, by using AWS Transit Gateway or VPC peering.
+ [AWS Serverless Application Model (AWS SAM),](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/what-is-sam.html) locally installed and configured with AWS Cloud9 or AWS CloudShell.
+ The `Infoblox-Hub.zip` and `ClientTest.yaml` files (attached), downloaded to the local environment that contains AWS SAM.
**Limitations **
+ The AWS CloudFormation custom resource’s service token must be from the same Region where the stack is created. We recommend that you use a hub account in each Region, instead of creating an Amazon Simple Notification Service (Amazon SNS) topic in one Region and calling the Lambda function in another Region.
**Product versions**
+ Infoblox WAPI version 2.7
## Architecture
The following diagrams shows this pattern’s workflow.
![\[Creating Infoblox objects using AWS CloudFormation custom resources and Amazon SNS.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/8d609d3f-6f5e-4084-849f-ca191db8055e/images/3594a064-e103-4211-84b7-da67c41ebb15.png)
The diagram shows the following components for this pattern’s solution:
1. AWS CloudFormation custom resources enable you to write custom provisioning logic in templates that AWS CloudFormation runs when you create, update, or delete stacks. When you create a stack, AWS CloudFormation sends a `create` request to an SNS topic that's monitored by an application running on an EC2 instance.
1. The Amazon SNS notification from the AWS CloudFormation custom resource is encrypted through a specific AWS Key Management Service (AWS KMS) key and access is restricted to accounts in your organization in Organizations. The SNS topic initiates the Lambda resource that calls the Infoblox WAPI API.
1. Amazon SNS invokes the following Lambda functions that take the Infoblox WAPI URL, the user name, and password AWS Secrets Manager Amazon Resource Names (ARNs) as environment variables:
+ `dnsapi.lambda_handler` – Receives the `DNSName`, `DNSType`, and `DNSValue` values from the AWS CloudFormation custom resource and uses these to create DNS A records and CNAMES.
+ `ipaddr.lambda_handler` – Receives the `VPCCIDR`, `Type`, `SubnetPrefix`, and `Network Name` values from the AWS CloudFormation custom resource and uses these to add the network data into the Infoblox IPAM database or provide the custom resource with the next available network that can be used to create new subnets.
+ `describeprefixes.lambda_handler` – Calls the `describe_managed_prefix_lists` AWS API by using the `"com.amazonaws."+Region+".s3"` filter to retrieve the required `prefix ID`.
**Important**
These Lambda functions are written in Python and are similar to each other but call different APIs.
1. You can deploy the Infoblox grid as physical, virtual, or cloud-based network appliances. It can be deployed on-premises or as a virtual appliance using a range of hypervisors, including VMware ESXi, Microsoft Hyper-V, Linux KVM, and Xen. You can also deploy the Infoblox grid on the AWS Cloud with an Amazon Machine Image (AMI).
1. The diagram shows a hybrid solution for the Infoblox grid that provides DNS and IPAM to resources on the AWS Cloud and on premises.
**Technology stack **
+ AWS CloudFormation
+ IAM
+ AWS KMS
+ AWS Lambda
+ AWS SAM
+ AWS Secrets Manager
+ Amazon SNS
+ Amazon VPC
## Tools
+ [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) helps you set up AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle across AWS accounts and Regions.
+ [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.
+ [AWS Key Management Service (AWS KMS)](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) helps you create and control cryptographic keys to help protect your data.
+ [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use.
+ [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) is an account management service that helps you consolidate multiple AWS accounts into an organization that you create and centrally manage.
+ [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) helps you replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.
+ [AWS Serverless Application Model (AWS SAM)](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/what-is-sam.html) is an open-source framework that helps you build serverless applications in the AWS Cloud.
+ [Amazon Simple Notification Service (Amazon SNS)](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) helps you coordinate and manage the exchange of messages between publishers and clients, including web servers and email addresses.
+ [Amazon Virtual Private Cloud (Amazon VPC)](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html) helps you launch AWS resources into a virtual network that you’ve defined. This virtual network resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
**Code**
You can use the `ClientTest.yaml` sample AWS CloudFormation template (attached) to test the Infoblox hub. You can customize the AWS CloudFormation template to include the custom resources from the following table.
| |
| --- |
| Create an A record using the Infoblox spoke custom resource | Return values: `infobloxref ` – Infoblox referencesExample resource:
```
ARECORDCustomResource:
Type: "Custom::InfobloxAPI"
Properties:
ServiceToken: !Sub arn:aws:sns:${AWS::Region}:${HubAccountID}:RunInfobloxDNSFunction
DNSName: 'arecordtest.company.com'
DNSType: 'ARecord'
DNSValue: '10.0.0.1'
``` |
| --- |--- |
| Create a CNAME record using the Infoblox spoke custom resource | **Return values**: `infobloxref ` – Infoblox references**Example resource**:CNAMECustomResource:
Type: "Custom::InfobloxAPI"
Properties:
ServiceToken: !Sub arn:aws:sns:${AWS::Region}:${HubAccountID}:RunInfoblox
DNSFunction
DNSName: 'cnametest.company.com'
DNSType: 'cname'
DNSValue: 'aws.amazon.com'
|
| Create a network object using the Infoblox spoke custom resource | **Return values:**`infobloxref ` – Infoblox references`network` – Network range (the same as `VPCCIDR`)**Example resource:**VPCCustomResource:
Type: 'Custom::InfobloxAPI'
Properties:
ServiceToken: !Sub arn:aws:sns:${AWS::Region}:${HubAccountID}:RunInfobloxNextSubnetFunction
VPCCIDR: !Ref VpcCIDR
Type: VPC
NetworkName: My-VPC
|
| Retrieve the next available subnet using the Infoblox spoke custom resource | **Return values:**`infobloxref` – Infoblox references`network ` – The subnet's network range**Example resource:**Subnet1CustomResource:
Type: 'Custom::InfobloxAPI'
DependsOn: VPCCustomResource
Properties:
ServiceToken: !Sub arn:aws:sns:${AWS::Region}:${HubAccountID}:RunInfobloxNextSubnetFunction
VPCCIDR: !Ref VpcCIDR
Type: Subnet
SubnetPrefix: !Ref SubnetPrefix
NetworkName: My-Subnet
|
## Epics
### Create and configure the hub account’s VPC
| Task | Description | Skills required |
| --- | --- | --- |
| Create a VPC with a connection to the Infoblox appliance. | Sign in to the AWS Management Console for your hub account and create a VPC by following the steps in the [Amazon VPC on the AWS Cloud Quick Start reference deployment](https://aws-quickstart.github.io/quickstart-aws-vpc/) from AWS Quick Starts.The VPC must have HTTPS connectivity to the Infoblox appliance and we recommend that you use a private subnet for this connection. | Network administrator, System administrator |
| (Optional) Create the VPC endpoints for private subnets. | VPC endpoints provide connectivity to public services for your private subnets. The following endpoints are required:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/create-infoblox-objects-using-aws-cloudformation-custom-resources-and-amazon-sns.html)For more information about creating endpoints for private subnets, see [VPC endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints.html) in the Amazon VPC documentation. | Network administrator, Systems administrator |
### Deploy the Infoblox hub
| Task | Description | Skills required |
| --- | --- | --- |
| Build the AWS SAM template. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/create-infoblox-objects-using-aws-cloudformation-custom-resources-and-amazon-sns.html) | Developer, System administrator |
| Deploy the AWS SAM template. | The `sam deploy` command takes the required parameters and saves them into the `samconfig.toml` file, stores the AWS CloudFormation template and Lambda functions in an S3 bucket, and then deploys the AWS CloudFormation template into your hub account. The following sample code shows how to deploy the AWS SAM template:$ sam deploy --guided
Configuring SAM deploy
======================
Looking for config file [samconfig.toml] : Found
Reading default arguments : Success
Setting default arguments for 'sam deploy'
=========================================
Stack Name [Infoblox-Hub]:
AWS Region [eu-west-1]:
Parameter InfobloxUsername:
Parameter InfobloxPassword:
Parameter InfobloxIPAddress [xxx.xxx.xx.xxx]:
Parameter AWSOrganisationID [o-xxxxxxxxx]:
Parameter VPCID [vpc-xxxxxxxxx]:
Parameter VPCCIDR [xxx.xxx.xxx.xxx/16]:
Parameter VPCSubnetID1 [subnet-xxx]:
Parameter VPCSubnetID2 [subnet-xxx]:
Parameter VPCSubnetID3 [subnet-xxx]:
Parameter VPCSubnetID4 []:
#Shows you resources changes to be deployed and require a 'Y' to initiate deploy
Confirm changes before deploy [Y/n]: y
#SAM needs permission to be able to create roles to connect to the resources in your template
Allow SAM CLI IAM role creation [Y/n]: n
Capabilities [['CAPABILITY_NAMED_IAM']]:
Save arguments to configuration file [Y/n]: y
SAM configuration file [samconfig.toml]:
SAM configuration environment [default]:
You must use the `--guided` option each time because the Infoblox sign-in credentials are not stored in the `samconfig.toml` file. | Developer, System administrator |
## Related resources
+ [Getting started with WAPIs using Postman](https://blogs.infoblox.com/community/getting-started-with-wapis-using-postman/) (Infoblox Blog)
+ [Provisioning vNIOS for AWS Using the BYOL Model](https://docs.infoblox.com/display/NAIG/Provisioning+vNIOS+for+AWS+Using+the+BYOL+Model) (Infoblox documentation)
+ [quickstart-aws-vpc](https://github.com/aws-quickstart/quickstart-aws-vpc) (GitHub repo)
+ [describe\$1managed\$1prefix\$1lists](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ec2.html#EC2.Client.describe_managed_prefix_lists) (AWS SDK for Python documentation)
## Attachments
To access additional content that is associated with this document, unzip the following file: [attachment.zip](samples/p-attach/8d609d3f-6f5e-4084-849f-ca191db8055e/attachments/attachment.zip)
# Create a hierarchical, multi-Region IPAM architecture on AWS by using Terraform
*Donny Schreiber, Amazon Web Services*
## Summary
*IP address management (IPAM)* is a critical component of network management, and it becomes increasingly complex as organizations scale their cloud infrastructure. Without proper IPAM, organizations risk IP address conflicts, wasted address space, and complex troubleshooting that can lead to outages and application downtime. This pattern demonstrates how to implement a comprehensive IPAM solution for AWS enterprise environments by using HashiCorp Terraform. It helps organizations to create a hierarchical, multi-Region IPAM architecture that facilitates centralized IP address management across all AWS accounts in an [AWS organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#organization-structure).
This pattern helps you implement [Amazon VPC IP Address Manager](https://docs.aws.amazon.com/vpc/latest/ipam/what-it-is-ipam.html) with a sophisticated four-tier pool hierarchy: top-level pool, Regional pools, business unit pools, and environment-specific pools. This structure supports proper IP address governance while enabling delegation of IP management to appropriate teams within the organization. The solution uses AWS Resource Access Manager (AWS RAM) to seamlessly share IP Address Manager pools across the organization. AWS RAM centralizes and standardizes IPAM specifications, which teams can build upon across all managed accounts.
This pattern can help you achieve the following:
+ Automate IP address allocation across AWS Regions, business units, and environments.
+ Enforce organizational network policies through programmatic validation.
+ Scale network infrastructure efficiently as business requirements evolve.
+ Reduce operational overhead through centralized management of IP address spaces.
+ Accelerate cloud-native workload deployments with self-service CIDR range allocation.
+ Prevent address conflicts through policy-based controls and validation.
## Prerequisites and limitations
**Prerequisites**
+ One or more AWS accounts, managed as an organization in AWS Organizations.
+ A network hub or network management account that will serve as the IP Address Manager delegated administrator.
+ AWS Command Line Interface (AWS CLI), [installed](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and [configured](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html).
+ Terraform version 1.5.0 or later, [installed](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli).
+ AWS Provider for Terraform, [configured](https://registry.terraform.io/providers/hashicorp/aws/latest/docs).
+ Permissions to manage [IP Address Manager](https://docs.aws.amazon.com/vpc/latest/ipam/iam-ipam.html), [AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/security-iam.html), and [virtual private clouds (VPCs)](https://docs.aws.amazon.com/vpc/latest/userguide/security-iam.html), configured in AWS Identity and Access Management (IAM).
**Limitations**
+ IP Address Manager is subject to [service quotas](https://docs.aws.amazon.com/vpc/latest/ipam/quotas-ipam.html). The default service quota for pools is 50 per scope. Running this deployment for 6 Regions, 2 business units, and 4 environments would create 67 pools. Therefore, a quota increase might be necessary.
+ Modifying or deleting IP Address Manager pools after resources have been allocated can cause dependency issues. You must [release the allocation](https://docs.aws.amazon.com/vpc/latest/ipam/release-alloc-ipam.html) before you can delete the pool.
+ In IP Address Manager, [resource monitoring](https://docs.aws.amazon.com/vpc/latest/ipam/monitor-cidr-compliance-ipam.html) can experience a slight delay in reflecting resource changes. This delay can be approximately 20 minutes.
+ IP Address Manager cannot automatically enforce IP address uniqueness across different scopes.
+ Custom tags must adhere to [AWS tagging best practices](https://docs.aws.amazon.com/whitepapers/latest/tagging-best-practices/tagging-best-practices.html). For example, each key must be unique and cannot begin with `aws:`.
+ There are [considerations and limitations](https://docs.aws.amazon.com/vpc/latest/ipam/enable-integ-ipam-outside-org-considerations.html) when integrating IP Address Manager with accounts outside of your organization.
## Architecture
**Target architecture**
*IP Address Manager configuration and pool hierarchy*
The following diagram shows the logical constructs of the target architecture. A *scope* is the highest-level container in IP Address Manager. Each scope represents the IP address space for a single network. The *pools* are collections of contiguous IP address ranges (or CIDR ranges) within the scope. Pools help you organize your IP addresses according to your routing and security needs. This diagram shows four hierarchical levels of pools: a top-level pool, Regional pools, business unit pools, and environment pools.
![\[A private scope and four levels of pools in a single AWS Region in a Network account.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/780e344e-37f7-4b70-8d7c-94ec67a29305/images/1e23b2a7-a274-4a19-9097-61d8a31dfbf8.png)
This solution establishes a clear hierarchy of IP Address Manager pools:
1. The top-level pool encompasses the entire organizational IP address space, such as `10.176.0.0/12`.
1. The Regional pools are for Region-specific allocations, such as `10.176.0.0/15` for `us-east-1`.
1. The business unit pools are domain-specific allocations within each AWS Region. For example, the finance business unit in the `us-east-1` Region might have `10.176.0.0/16`.
1. The environment pools are purpose-specific allocations for different environments. For example, the finance business unit in the `us-east-1` Region might have `10.176.0.0/18` for a production environment.
This deployment topology distributes IP Address Manager resources geographically while maintaining centralized control. The following are its features:
+ IP Address Manager is deployed in a single primary AWS Region.
+ Additional Regions are registered as [operating regions](https://docs.aws.amazon.com/vpc/latest/ipam/mod-ipam-region.html), where IP Address Manager can manage resources.
+ Each operating region receives a dedicated address pool from the top-level pool.
+ Resources in all operating regions are centrally managed through IP Address Manager in the primary Region.
+ Each Regional pool has a locale property tied to its Region to help you properly allocate resources.
*Advanced CIDR range validation*
This solution is designed to prevent deployment of invalid configurations. When you deploy the pools through Terraform, the following are validated during the Terraform plan phase:
+ Validates that all environment CIDR ranges are contained within their parent business unit CIDR ranges
+ Confirms that all business unit CIDR ranges are contained within their parent regional CIDR ranges
+ Verifies that all Regional CIDR ranges are contained within the top-level CIDR ranges
+ Checks for overlapping CIDR ranges within the same hierarchy level
+ Validates proper mapping of environments to their respective business units
*CIDR range allocation*
The following diagram shows an example of how developers or administrators can create new VPCs and allocate IP addresses from the pool levels.
![\[A private scope and four levels of pools in a single AWS Region in a Network account.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/780e344e-37f7-4b70-8d7c-94ec67a29305/images/7c3de2e3-e71b-4fc0-abcd-7e88cfab5c87.png)
The diagram shows the following workflow:
1. Through the AWS Management Console, the AWS CLI, or through infrastructure as code (IaC), a developer or administrator requests the next available CIDR range in the `AY3` environment pool.
1. IP Address Manager allocates the next available CIDR range in that pool to the `AY3-4` VPC. This CIDR range can no longer be used.
**Automation and scale**
This solution is designed for scalability as follows:
+ **Regional expansion** – Add new Regions by extending the Terraform configuration with additional Regional pool entries.
+ **Business unit growth** – Support new business units by adding them to the BU configuration map.
+ **Environment flexibility** – Configure different environment types, such as development or production, based on organizational needs.
+ **Multi-account support** – Share pools across all accounts in your organization through AWS RAM.
+ **Automated VPC provisioning** – Integrate with VPC provisioning workflows to automate CIDR range allocation.
The hierarchical structure also allows for different scales of delegation and control, such as the following:
+ Network administrators might manage the top-level and Regional pools.
+ Business unit IT teams might have delegated control of their respective pools.
+ Application teams might consume IP addresses from their designated environment pools.
**Note**
You can also integrate this solution with [AWS Control Tower Account Factory for Terraform (AFT)](https://docs.aws.amazon.com/controltower/latest/userguide/aft-overview.html). For more information, see *Integration with AFT* in the [Additional information](#multi-region-ipam-architecture-additional) section of this pattern.
## Tools
**AWS services**
+ [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html) helps you monitor the metrics of your AWS resources and the applications you run on AWS in real time.
+ [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html) is an open source tool that helps you interact with AWS services through commands in your command-line shell.
+ [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) is an account management service that helps you consolidate multiple AWS accounts into an organization that you create and centrally manage.
+ [AWS Resource Access Manager (AWS RAM)](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html) helps you securely share your resources across AWS accounts to reduce operational overhead and provide visibility and auditability.
+ [Amazon Virtual Private Cloud (Amazon VPC)](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html) helps you launch AWS resources into a virtual network that you’ve defined. This virtual network resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS. [IP Address Manager](https://docs.aws.amazon.com/vpc/latest/ipam/what-it-is-ipam.html) is a feature of Amazon VPC. It helps you plan, track, and monitor IP addresses for your AWS workloads.
**Other tools**
+ [HashiCorp Terraform](https://www.terraform.io/docs) is an infrastructure as code (IaC) tool that helps you use code to provision and manage cloud infrastructure and resources.
**Code repository**
The code for this pattern is available in the [Sample Terraform Implementation for Hierarchical IPAM on AWS](https://github.com/aws-samples/sample-amazon-vpc-ipam-terraform)** **repository on GitHub. The repository structure includes:
+ **Root module** – Deployment orchestration and input variables.
+ **IPAM module** – Core implementation of the architecture described in this pattern.
+ **Tags module** – Standardized tagging for all resources.
## Best practices
Consider the following best practices for network planning:
+ **Plan first** – Thoroughly plan your IP address space before deployment. For more information, see [Plan for IP address provisioning](https://docs.aws.amazon.com/vpc/latest/ipam/planning-ipam.html).
+ **Avoid overlapping CIDR ranges** – Make sure that CIDR ranges at each level do not overlap.
+ **Reserve buffer space** – Always allocate larger CIDR ranges than immediately needed to accommodate growth.
+ **Document IP address allocation** – Maintain documentation of your IP address allocation strategy.
Consider the following deployment best practices:
+ **Start with non-production** – Deploy in non-production environments first.
+ **Use Terraform state management** – Implement remote state storage and locking. For more information, see [State storage and locking](https://developer.hashicorp.com/terraform/language/state/backends) in the Terraform documentation.
+ **Implement version control** – Version control all Terraform code.
+ **Implement CI/CD integration** – Use continuous integration and continuous delivery (CI/CD) pipelines for repeatable deployments.
Consider the following operational best practices:
+ **Enable auto-import** – Configure an IP Address Manager pool to automatically discover and import existing resources. Follow the instructions in [Edit an IPAM pool](https://docs.aws.amazon.com/vpc/latest/ipam/mod-pool-ipam.html) to turn on auto-import.
+ **Monitor IP address utilization** – Set up alarms for IP address utilization thresholds. For more information, see [Monitor IPAM with Amazon CloudWatch](https://docs.aws.amazon.com/vpc/latest/ipam/cloudwatch-ipam.html).
+ **Audit regularly** – Periodically audit IP address usage and compliance. For more information, see [Tracking IP address usage in IPAM](https://docs.aws.amazon.com/vpc/latest/ipam/tracking-ip-addresses-ipam.html).
+ **Clean up unused allocations** – Release IP address allocations when resources are decommissioned. For more information, see [Deprovision CIDRs from a pool](https://docs.aws.amazon.com/vpc/latest/ipam/depro-pool-cidr-ipam.html).
Consider the following security best practices:
+ **Implement least privilege** – Use IAM roles with the minimum required permissions. For more information, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) and [Identity and access management in IPAM](https://docs.aws.amazon.com/vpc/latest/ipam/iam-ipam.html).
+ **Use service control policies** – Implement service control policies (SCPs) to enforce IP Address Manager usage in your organization. For more information, see [Enforce IPAM use for VPC creation with SCPs](https://docs.aws.amazon.com/vpc/latest/ipam/scp-ipam.html).
+ **Control resource sharing** – Carefully manage the scope of IP Address Manager resource sharing in AWS RAM. For more information, see [Share an IPAM pool using AWS RAM](https://docs.aws.amazon.com/vpc/latest/ipam/share-pool-ipam.html).
+ **Enforce tagging** – Implement mandatory tagging for all resources related to IP Address Manager. For more information, see *Tagging strategy* in the [Additional information](#multi-region-ipam-architecture-additional) section.
## Epics
### Set up a delegated administrator account for IP Address Manager
| Task | Description | Skills required |
| --- | --- | --- |
| Enable AWS Organizations features. | Make sure that AWS Organizations has all features enabled. For instructions, see [Enabling all features for an organization with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html) in the AWS Organizations documentation. | AWS administrator |
| Enable resource sharing in AWS RAM. | Using the AWS CLI, enter the following command to enable AWS RAM resource sharing for your organization:aws ram enable-sharing-with-aws-organization
For more information, see [Enable resource sharing within AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the AWS RAM documentation. | AWS administrator |
| Designate an administrator for IP Address Manager. | From the organization’s management account, using the AWS CLI, enter the following command, where `123456789012` is the ID of the account that will administer IP Address Manager:aws ec2 enable-ipam-organization-admin-account \
--delegated-admin-account-id 123456789012
Typically, a network or network hub account is used as the delegated administrator for IP Address Manager.For more information, see [Integrate IPAM with accounts in an AWS Organization](https://docs.aws.amazon.com/vpc/latest/ipam/enable-integ-ipam.html) in the IP Address Manager documentation. | AWS administrator |
### Deploy the infrastructure
| Task | Description | Skills required |
| --- | --- | --- |
| Define the network architecture. | Define and document your network architecture, including the CIDR ranges for Regions, business units, and environments. For more information, see [Plan for IP address provisioning](https://docs.aws.amazon.com/vpc/latest/ipam/planning-ipam.html) in the IP Address Manager documentation. | Network engineer |
| Clone the repository. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/multi-region-ipam-architecture.html) | DevOps engineer |
| Configure the variables. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/multi-region-ipam-architecture.html) | Network engineer, Terraform |
| Deploy the IP Address Manager resources. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/multi-region-ipam-architecture.html) | Terraform |
| Validate the deployment. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/multi-region-ipam-architecture.html) | General AWS, Network engineer |
### Create VPCs and set up monitoring
| Task | Description | Skills required |
| --- | --- | --- |
| Create a VPC. | Follow the steps in [Create a VPC](https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html) in the Amazon VPC documentation. When you reach the step to choose a CIDR range for the VPC, allocate the next available from one of your Regional, business unit, and environment pools. | General AWS, Network administrator, Network engineer |
| Validate the CIDR range allocation. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/multi-region-ipam-architecture.html) | General AWS, Network administrator, Network engineer |
| Monitor IP Address Manager. | Configure monitoring and alarms related to the allocation of IP Address Manager resources. For more information and instructions, see [Monitor IPAM with Amazon CloudWatch](https://docs.aws.amazon.com/vpc/latest/ipam/cloudwatch-ipam.html) and [Monitor CIDR usage by resource](https://docs.aws.amazon.com/vpc/latest/ipam/monitor-cidr-compliance-ipam.html) in the IP Address Manager documentation. | General AWS |
| Enforce use of IP Address Manager. | Create a service control policy (SCP) in AWS Organizations that requires members in your organization to use IP Address Manager when they create a VPC. For instructions, see [Enforce IPAM use for VPC creation with SCPs](https://docs.aws.amazon.com/vpc/latest/ipam/scp-ipam.html) in the IP Address Manager documentation. | General AWS, AWS administrator |
## Troubleshooting
| Issue | Solution |
| --- | --- |
| Terraform fails with IP Address Manager resource not found | Make sure that the IP Address Manager administrator account is properly delegated and that your AWS Provider is authenticated to that account. |
| CIDR range allocation fails | Check that the requested CIDR range fits within the available range of the IP Address Manager pool and doesn't overlap with existing allocations. |
| AWS RAM sharing issues | Verify that resource sharing is enabled for your AWS Organization. Verify that the correct principal, the organization Amazon Resource Name (ARN), is used in the AWS RAM share. |
| Pool hierarchy validation errors | Make sure that the child pool CIDR ranges are properly contained within their parent pool CIDR ranges and don't overlap with sibling pools. |
| IP Address Manager quota limit exceeded | Request a quota increase for IP Address Manager pools. For more information, see [Requesting a quota increase](https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html) in the *Service Quotas User Guide*. |
## Related resources
**AWS service documentation**
+ [Amazon VPC IP Address Manager documentation](https://docs.aws.amazon.com/vpc/latest/ipam/what-it-is-ipam.html)
+ [AWS Resource Access Manager documentation](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html)
+ [AWS Organizations documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html)
**AWS blog posts**
+ [Managing IP pools across VPCs and Regions using Amazon VPC IP Address Manager](https://aws.amazon.com/blogs/networking-and-content-delivery/managing-ip-pools-across-vpcs-and-regions-using-amazon-vpc-ip-address-manager/)
+ [Network address management and auditing at scale with Amazon VPC IP Address Manager](https://aws.amazon.com/blogs/aws/network-address-management-and-auditing-at-scale-with-amazon-vpc-ip-address-manager/)
**Videos and tutorials**
+ [AWS re:Invent 2022: Best practices for Amazon VPC design and IPAM (NET310)](https://www.youtube.com/watch?v=XrEHsy_8RYs)
+ [AWS re:Invent 2022: Advanced VPC design and new capabilities (NET401)](https://www.youtube.com/watch?v=tbXTVpwx87o)
## Additional information
**Integration with AFT**
You can integrate this solution with AWS Control Tower Account Factory for Terraform (AFT) to make sure that newly provisioned accounts automatically receive proper network configurations. By deploying this IPAM solution in your network hub account, new accounts created through AFT can reference the shared IP Address Manager pools when you create VPCs.
The following code sample demonstrates AFT integration in an account customization by using AWS Systems Manager Parameter Store:
```
# Get the IP Address Manager pool ID from Parameter Store
data "aws_ssm_parameter" "dev_ipam_pool_id" {
name = "/org/network/ipam/finance/dev/pool-id"
}
# Create a VPC using the IP Address Manager pool
resource "aws_vpc" "this" {
ipv4_ipam_pool_id = data.aws_ssm_parameter.dev_ipam_pool_id.value
ipv4_netmask_length = 24
tags = {
Name = "aft-account-vpc"
}
}
```
**Tagging strategy**
The solution implements a comprehensive tagging strategy to facilitate resource management. The following code sample demonstrates how it is used:
```
# Example tag configuration
module "tags" {
source = "./modules/tags"
# Required tags
product_name = "enterprise-network"
feature_name = "ipam"
org_id = "finance"
business_unit = "network-operations"
owner = "network-team"
environment = "prod"
repo = "https://github.com/myorg/ipam-terraform"
branch = "main"
cost_center = "123456"
dr_tier = "tier1"
# Optional tags
optional_tags = {
"project" = "network-modernization"
"stack_role" = "infrastructure"
}
}
```
These tags are automatically applied to all IP Address Manager resources. This facilitates consistent governance, cost allocation, and resource management.
# Customize Amazon CloudWatch alerts for AWS Network Firewall
*Jason Owens, Amazon Web Services*
## Summary
The pattern helps you customize the Amazon CloudWatch alerts that are generated by AWS Network Firewall. You can use predefined rules or create custom rules that determine the message, metadata, and severity of the alerts. You can then act upon these alerts or automate responses by other Amazon services, such as Amazon EventBridge.
In this pattern, you generate Suricata-compatible firewall rules. [Suricata](https://suricata.io/) is an open-source threat detection engine. You first create simple rules and then test them to confirm that the CloudWatch alerts are generated and logged. Once you have successfully tested the rules, you modify them to define custom messages, metadata, and severities, and you then test once more to confirm the updates.
## Prerequisites and limitations
**Prerequisites **
+ An active AWS account.
+ AWS Command Line Interface (AWS CLI) installed and configured on your Linux, macOS, or Windows workstation. For more information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
+ AWS Network Firewall installed and configured to use CloudWatch Logs. For more information, see [Logging network traffic from AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html).
+ An Amazon Elastic Compute Cloud (Amazon EC2) instance in a private subnet of a virtual private cloud (VPC) that is protected by Network Firewall.
**Product versions**
+ For version 1 of AWS CLI, use 1.18.180 or later. For version 2 of AWS CLI, use 2.1.2 or later.
+ The classification.config file from Suricata version 5.0.2. For a copy of this configuration file, see the [Additional information](#customize-amazon-cloudwatch-alerts-for-aws-network-firewall-additional) section.
## Architecture
![\[An EC2 instance request generates alert in Network Firewall, which forwards alert to CloudWatch\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/da6087a9-e942-4cfe-85e3-3b08de6f3ba5/images/778d85cd-bc87-4ed0-a161-d35eb5daa694.png)
The architecture diagram shows the following workflow:
1. An Amazon EC2 instance in a private subnet makes a request by using either [curl](https://curl.se/) or [Wget](https://www.gnu.org/software/wget/).
1. Network Firewall processes the traffic and generates an alert.
1. Network Firewall sends the logged alerts to CloudWatch Logs.
## Tools
**AWS services**
+ [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html) helps you monitor the metrics of your AWS resources and the applications you run on AWS in real time.
+ [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) helps you centralize the logs from all your systems, applications, and AWS services so you can monitor them and archive them securely.
+ [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html) is an open-source tool that helps you interact with AWS services through commands in your command-line shell.
+ [AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html) is a stateful, managed, network firewall and intrusion detection and prevention service for virtual private clouds (VPCs) in the AWS Cloud.
**Other tools**
+ [curl](https://curl.se/) is an open-source command line tool and library.
+ [GNU Wget](https://www.gnu.org/software/wget/) is a free command line tool.
## Epics
### Create the firewall rules and rule group
| Task | Description | Skills required |
| --- | --- | --- |
| Create rules. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS systems administrator, Network administrator |
| Create the rule group. | In the AWS CLI, enter the following command. This creates the rule group.❯ aws network-firewall create-rule-group \
--rule-group-name custom --type STATEFUL \
--capacity 10 --rules file://custom.rules \
--tags Key=environment,Value=development
The following is an example output. Make note of the `RuleGroupArn`, which you need in a later step.{
"UpdateToken": "4f998d72-973c-490a-bed2-fc3460547e23",
"RuleGroupResponse": {
"RuleGroupArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom",
"RuleGroupName": "custom",
"RuleGroupId": "238a8259-9eaf-48bb-90af-5e690cf8c48b",
"Type": "STATEFUL",
"Capacity": 10,
"RuleGroupStatus": "ACTIVE",
"Tags": [
{
"Key": "environment",
"Value": "development"
}
]
} | AWS systems administrator |
### Update the firewall policy
| Task | Description | Skills required |
| --- | --- | --- |
| Get the ARN of the firewall policy. | In the AWS CLI, enter the following command. This returns the Amazon Resource Name (ARN) of the firewall policy. Record the ARN for use later in this pattern.❯ aws network-firewall describe-firewall \
--firewall-name aws-network-firewall-anfw \
--query 'Firewall.FirewallPolicyArn'
The following is an example ARN that is returned by this command."arn:aws:network-firewall:us-east-2:1234567890:firewall-policy/firewall-policy-anfw"
| AWS systems administrator |
| Update the firewall policy. | In a text editor, copy the paste the following code. Replace `` with the value you recorded in the previous epic. Save the file as `firewall-policy-anfw.json`.{
"StatelessDefaultActions": [
"aws:forward_to_sfe"
],
"StatelessFragmentDefaultActions": [
"aws:forward_to_sfe"
],
"StatefulRuleGroupReferences": [
{
"ResourceArn": ""
}
]
}Enter the following command in the AWS CLI. This command requires an [update token](https://docs.aws.amazon.com/cli/latest/reference/network-firewall/update-firewall-policy.html) to add the new rules. The token is used to confirm that the policy hasn't changed since you last retrieved it.UPDATETOKEN=(`aws network-firewall describe-firewall-policy \
--firewall-policy-name firewall-policy-anfw \
--output text --query UpdateToken`)
aws network-firewall update-firewall-policy \
--update-token $UPDATETOKEN \
--firewall-policy-name firewall-policy-anfw \
--firewall-policy file://firewall-policy-anfw.json
| AWS systems administrator |
| Confirm the policy updates. | (Optional) If you would like to confirm the rules were added and view the policy format, enter the following command in the AWS CLI.❯ aws network-firewall describe-firewall-policy \
--firewall-policy-name firewall-policy-anfw \
--query FirewallPolicy
The following is an example output.{
"StatelessDefaultActions": [
"aws:forward_to_sfe"
],
"StatelessFragmentDefaultActions": [
"aws:forward_to_sfe"
],
"StatefulRuleGroupReferences": [
{
"ResourceArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom"
}
]
} | AWS systems administrator |
### Test alert functionality
| Task | Description | Skills required |
| --- | --- | --- |
| Generate alerts for testing. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS systems administrator |
| Validate that the alerts are logged. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS systems administrator |
### Update the firewall rules and rule group
| Task | Description | Skills required |
| --- | --- | --- |
| Update the firewall rules. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS systems administrator |
| Update the rule group. | In the AWS CLI, run the following commands. Use the ARN of your firewall policy. These commands get an update token and update the rule group with the rule changes.❯ UPDATETOKEN=(`aws network-firewall \
describe-rule-group \
--rule-group-arn arn:aws:network-firewall:us-east-2:123457890:stateful-rulegroup/custom \
--output text --query UpdateToken`)
❯ aws network-firewall update-rule-group \
--rule-group-arn arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom \
--rules file://custom.rules \
--update-token $UPDATETOKEN
The following is an example output.{
"UpdateToken": "7536939f-6a1d-414c-96d1-bb28110996ed",
"RuleGroupResponse": {
"RuleGroupArn": "arn:aws:network-firewall:us-east-2:1234567890:stateful-rulegroup/custom",
"RuleGroupName": "custom",
"RuleGroupId": "238a8259-9eaf-48bb-90af-5e690cf8c48b",
"Type": "STATEFUL",
"Capacity": 10,
"RuleGroupStatus": "ACTIVE",
"Tags": [
{
"Key": "environment",
"Value": "development"
}
]
}
} | AWS systems administrator |
### Test the updated alert functionality
| Task | Description | Skills required |
| --- | --- | --- |
| Generate an alert for testing. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS systems administrator |
| Validate the alert changed. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/customize-amazon-cloudwatch-alerts-for-aws-network-firewall.html) | AWS systems administrator |
## Related resources
**References**
+ [Send alerts from AWS Network Firewall to a Slack channel](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/send-alerts-from-aws-network-firewall-to-a-slack-channel.html) (AWS Prescriptive Guidance)
+ [Scaling threat prevention on AWS with Suricata](https://aws.amazon.com/blogs/opensource/scaling-threat-prevention-on-aws-with-suricata/) (AWS blog post)
+ [Deployment models for AWS Network Firewall](https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/) (AWS blog post)
+ [Suricata meta keyworks](https://suricata.readthedocs.io/en/suricata-6.0.1/rules/meta.html) (Suricata documentation)
**Tutorials and videos**
+ [AWS Network Firewall workshop](https://networkfirewall.workshop.aws/)
## Additional information
The following is the classification configuration file from Suricata 5.0.2. These classifications are used when creating the firewall rules.
```
# config classification:shortname,short description,priority
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: inappropriate-content,Inappropriate Content was Detected,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to login by a default username and password,2
# Update
config classification: targeted-activity,Targeted Malicious Activity was Detected,1
config classification: exploit-kit,Exploit Kit Activity Detected,1
config classification: external-ip-check,Device Retrieving External IP Address Detected,2
config classification: domain-c2,Domain Observed Used for C2 Detected,1
config classification: pup-activity,Possibly Unwanted Program Detected,2
config classification: credential-theft,Successful Credential Theft Detected,1
config classification: social-engineering,Possible Social Engineering Attempted,2
config classification: coin-mining,Crypto Currency Mining Activity Detected,2
config classification: command-and-control,Malware Command and Control Activity Detected,1
```
# Deploy resources in an AWS Wavelength Zone by using Terraform
*Zahoor Chaudhrey and Luca Iannario, Amazon Web Services*
## Summary
[AWS Wavelength](https://docs.aws.amazon.com/wavelength/latest/developerguide/what-is-wavelength.html) helps you build infrastructure that is optimized for Multi-Access Edge Computing (MEC) applications. *Wavelength Zones* are AWS infrastructure deployments that embed AWS compute and storage services within communications service providers’ (CSP) 5G networks. Application traffic from 5G devices reaches application servers running in Wavelength Zones without leaving the telecommunications network. The following facilitate network connectivity through Wavelength:
+ **Virtual private clouds (VPCs)** – VPCs in an AWS account can extend to span multiple Availability Zones, including Wavelength Zones. Amazon Elastic Compute Cloud (Amazon EC2) instances and related services appear as part of your Regional VPC. VPCs are created and managed in [Amazon Virtual Private Cloud (Amazon VPC)](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html).
+ **Carrier gateway** – A carrier gateway enables connectivity from the subnet in the Wavelength Zone to the CSP network, the internet, or the AWS Region through the CSP’s network. The carrier gateway serves two purposes. It allows inbound traffic from a CSP network in a specific location, and it allows outbound traffic to the telecommunications network and the internet.
This pattern and its associated Terraform code help you launch resources, such as Amazon EC2 instances, Amazon Elastic Block Store (Amazon EBS) volumes, VPCs, subnets, and a carrier gateway, in a Wavelength Zone.
## Prerequisites and limitations
**Prerequisites**
+ An active AWS account
+ An integrated development environment (IDE)
+ [Opt in](https://docs.aws.amazon.com/wavelength/latest/developerguide/get-started-wavelength.html#enable-zone-group) to the target Wavelength Zone
+ AWS Command Line Interface (AWS CLI), [installed](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and [configured](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html)
+ Terraform version 1.8.4 or later, [installed](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) (Terraform documentation)
+ Terraform AWS Provider version 5.32.1 or later, [configured](https://hashicorp.github.io/terraform-provider-aws/) (Terraform documentation)
+ Git, [installed](https://github.com/git-guides/install-git) (GitHub)
+ [Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) to create Amazon VPC, Wavelength, and Amazon EC2 resources
**Limitations**
Not all AWS Regions support Wavelength Zones. For more information, see [Available Wavelength Zones](https://docs.aws.amazon.com/wavelength/latest/developerguide/available-wavelength-zones.html) in the Wavelength documentation.
## Architecture
The following diagram shows how you can create a subnet and AWS resources in a Wavelength Zone. VPCs that contain a subnet in a Wavelength Zone can connect to a carrier gateway. A carrier gateway allows you to connect to the following resources:
+ 4G/LTE and 5G devices on the telecommunication carrier's network.
+ Fixed wireless access for select Wavelength Zone partners. For more information, see [Multi-access AWS Wavelength](https://docs.aws.amazon.com/wavelength/latest/developerguide/multi-access.html).
+ Outbound traffic to public internet resources.
![\[A carrier gateway connects AWS resources in the Wavelength Zone to the CSP network.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/8c507de1-208c-4563-bb58-52388ab2fa6d/images/a4cc0699-0cbc-4f15-ab14-3ae569ced7f4.png)
## Tools
**AWS services**
+ [Amazon Virtual Private Cloud (Amazon VPC)](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html) helps you launch AWS resources into a virtual network that you’ve defined. This virtual network resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
+ [AWS Wavelength](https://docs.aws.amazon.com/wavelength/latest/developerguide/what-is-wavelength.html) extends AWS Cloud infrastructure to telecommunication providers’ 5G networks. This helps you build applications that deliver ultra-low latencies to mobile devices and end users.
**Other tools**
+ [Terraform](https://www.terraform.io/) is an infrastructure as code (IaC) tool from HashiCorp that helps you create and manage cloud and on-premises resources.
**Code repository**
The code for this pattern is available in the GitHub [Creating AWS Wavelength Infrastructure using Terraform](https://github.com/aws-samples/terraform-wavelength-infrastructure) repository. The Terraform code deploys the following infrastructure and resources:
+ A VPC
+ A Wavelength Zone
+ A pubic subnet in the Wavelength Zone
+ A carrier gateway in the Wavelength Zone
+ An Amazon EC2 instance in the Wavelength Zone
## Best practices
+ Before deploying, confirm that you're using the latest versions of Terraform and the AWS CLI.
+ Use a continuous integration and continuous delivery (CI/CD) pipeline to deploy IaC. For more information, see [Best practices for managing Terraform State files in AWS CI/CD Pipeline](https://aws.amazon.com/blogs/devops/best-practices-for-managing-terraform-state-files-in-aws-ci-cd-pipeline/) on AWS Blogs.
## Epics
### Provision the infrastructure
| Task | Description | Skills required |
| --- | --- | --- |
| Clone the repository. | Enter the following command to clone the [Creating AWS Wavelength Infrastructure using Terraform](https://github.com/aws-samples/terraform-wavelength-infrastructure) repository to your environment.`git clone git@github.com:aws-samples/terraform-wavelength-infrastructure.git` | DevOps engineer |
| Update the variables. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-resources-wavelength-zone-using-terraform.html) | DevOps engineer, Terraform |
| Initialize the configuration. | Enter the following command to initialize the working directory.terraform init
| DevOps engineer, Terraform |
| Preview the Terraform plan. | Enter the following command to compare the target state against the current state of your AWS environment. This command generates a preview of the resources that will be configured.terraform plan
| DevOps engineer, Terraform |
| Verify and deploy. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-resources-wavelength-zone-using-terraform.html) | DevOps engineer, Terraform |
### Validate and clean up
| Task | Description | Skills required |
| --- | --- | --- |
| Verify the infrastructure deployment. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-resources-wavelength-zone-using-terraform.html) | AWS DevOps, DevOps engineer |
| (Optional) Clean up the infrastructure. | If you need to delete all of the resources that were provisioned by Terraform, do the following:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-resources-wavelength-zone-using-terraform.html) | DevOps engineer, Terraform |
## Troubleshooting
| Issue | Solution |
| --- | --- |
| Connectivity to Amazon EC2 instances in the AWS Region. | See [Troubleshoot connecting to your Linux instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html) or [Troubleshoot connecting to your Windows instance](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/troubleshooting-windows-instances.html). |
| Connectivity to Amazon EC2 instances in the Wavelength Zone. | See [Troubleshoot SSH or RDP connectivity to my EC2 instances launched in a Wavelength Zone](https://repost.aws/knowledge-center/ec2-wavelength-zone-connection-errors). |
| Capacity in the Wavelength Zone. | See [Quotas and considerations for Wavelength Zones](https://docs.aws.amazon.com/wavelength/latest/developerguide/wavelength-quotas.html). |
| Mobile or carrier connectivity from the carrier network to the AWS Region. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-resources-wavelength-zone-using-terraform.html) |
## Related resources
+ [What is AWS Wavelength?](https://docs.aws.amazon.com/wavelength/latest/developerguide/what-is-wavelength.html)
+ [How AWS Wavelength works](https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html)
+ [Resilience in AWS Wavelength](https://docs.aws.amazon.com/wavelength/latest/developerguide/disaster-recovery-resiliency.html)
# Migrate DNS records in bulk to an Amazon Route 53 private hosted zone
*Ram Kandaswamy, Amazon Web Services*
## Summary
Network engineers and cloud administrators need an efficient and simple way to add Domain Name System (DNS) records to private hosted zones in Amazon Route 53. Using a manual approach to copy entries from a Microsoft Excel worksheet to appropriate locations in the Route 53 console is tedious and error prone. This pattern describes an automated approach that reduces the time and effort required to add multiple records. It also provides a repeatable set of steps for multiple hosted zone creation.
This pattern uses Amazon Simple Storage Service (Amazon S3) to store records. To work with data efficiently, the pattern uses the JSON format because of its simplicity and its ability to support a Python dictionary (`dict` data type).
**Note**
If you can generate a zone file from your system, consider using the [Route 53 import feature](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating-import.html) instead.
## Prerequisites and limitations
**Prerequisites **
+ An Excel worksheet that contains private hosted zone records
+ Familiarity with different types of DNS records such as A record, Name Authority Pointer (NAPTR) record, and SRV record (see [Supported DNS record types](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/ResourceRecordTypes.html))
+ Familiarity with the Python language and its libraries
**Limitations**
+ The pattern doesn’t provide extensive coverage for all use case scenarios. For example, the [change\$1resource\$1record\$1sets](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/route53.html#Route53.Client.change_resource_record_sets) call doesn’t use all the available properties of the API.
+ In the Excel worksheet, the value in each row is assumed to be unique. Multiple values for each fully qualified domain name (FQDN) are expected to appear in the same row. If that is not true, you should modify the code provided in this pattern to perform the necessary concatenation.
+ The pattern uses the AWS SDK for Python (Boto3) to call the Route 53 service directly. You can enhance the code to use an AWS CloudFormation wrapper for the `create_stack` and `update_stack` commands, and use the JSON values to populate template resources.
## Architecture
**Technology stack**
+ Route 53 private hosted zones for routing traffic
+ Amazon S3 for storing the output JSON file
![\[Workflow for migrating DNS records in bulk to a Route 53 private hosted zone.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/a81c29ea-f0c5-4d4a-ba87-93111a0f1ee9/images/2ada844b-4147-4f9f-8883-d22605aa42d8.png)
The workflow consists of these steps, as illustrated in the previous diagram and discussed in the *Epics* section:
1. Upload an Excel worksheet that has the record set information to an S3 bucket.
1. Create and run a Python script that converts the Excel data to JSON format.
1. Read the records from the S3 bucket and clean the data.
1. Create record sets in your private hosted zone.
## Tools
+ [Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/Welcome.html) – Amazon Route 53 is a highly available and scalable DNS web service that handles domain registration, DNS routing, and health checking.
+ [Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) – Amazon Simple Storage Service (Amazon S3) is an object storage service. You can use Amazon S3 to store and retrieve any amount of data at any time, from anywhere on the web.
## Epics
### Prepare data for automation
| Task | Description | Skills required |
| --- | --- | --- |
| Create an Excel file for your records. | Use the records you exported from your current system to create an Excel worksheet that has the required columns for a record, such as fully qualified domain name (FQDN), record type, Time to Live (TTL), and value. For NAPTR and SRV records, the value is a combination of multiple properties, so use Excel's `concat` method to combine these properties.[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/migrate-dns-records-in-bulk-to-an-amazon-route-53-private-hosted-zone.html) | Data engineer, Excel skills |
| Verify the working environment. | In your IDE, create a Python file to convert the Excel input worksheet to JSON format. (Instead of an IDE, you can also use an Amazon SageMaker notebook to work with Python code.)Verify that the Python version you’re using is version 3.7 or later. python3 --version
Install the **pandas** package. pip3 install pandas --user
| General AWS |
| Convert the Excel worksheet data to JSON. | Create a Python file that contains the following code to convert from Excel to JSON.import pandas as pd
data=pd.read_excel('./Book1.xls')
data.to_json(path_or_buf='my.json',orient='records')
where `Book1` is the name of the Excel worksheet and `my.json` is the name of the output JSON file. | Data engineer, Python skills |
| Upload the JSON file to an S3 bucket. | Upload the `my.json` file to an S3 bucket. For more information, see [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) in the Amazon S3 documentation. | App developer |
| FqdnName | RecordType | Value | TTL |
| something.example.org | A | 1.1.1.1 | 900 |
### Insert records
| Task | Description | Skills required |
| --- | --- | --- |
| Create a private hosted zone. | Use the [create\$1hosted\$1zone](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/route53.html#Route53.Client.create_hosted_zone) API and the following Python sample code to create a private hosted zone. Replace the parameters `hostedZoneName`, `vpcRegion`, and `vpcId` with your own values.import boto3
import random
hostedZoneName ="xxx"
vpcRegion = "us-east-1"
vpcId="vpc-xxxx"
route53_client = boto3.client('route53')
response = route53_client.create_hosted_zone(
Name= hostedZoneName,
VPC={
'VPCRegion: vpcRegion,
'VPCId': vpcId
},
CallerReference=str(random.random()*100000),
HostedZoneConfig={
'Comment': "private hosted zone created by automation",
'PrivateZone': True
}
)
print(response)
You can also use an infrastructure as code (IaC) tool such as AWS CloudFormation to replace these steps with a template that creates a stack with the appropriate resources and properties. | Cloud architect, Network administrator, Python skills |
| Retrieve details as a dictionary from Amazon S3. | Use the following code to read from the S3 bucket and to get the JSON values as a Python dictionary. fileobj = s3_client.get_object(
Bucket=bucket_name,
Key='my.json'
)
filedata = fileobj['Body'].read()
contents = filedata.decode('utf-8')
json_content=json.loads(contents)
print(json_content)
where `json_content` contains the Python dictionary. | App developer, Python skills |
| Clean data values for spaces and Unicode characters. | As a safety measure to ensure the correctness of data, use the following code to perform a strip operation on the values in `json_content`. This code removes the space characters at the front and end of each string. It also uses the `replace` method to remove hard (non-breaking) spaces (the `\xa0` characters).for item in json_content:
fqn_name = unicodedata.normalize("NFKD",item["FqdnName"].replace("u'", "'").replace('\xa0', '').strip())
rec_type = item["RecordType"].replace('\xa0', '').strip()
res_rec = {
'Value': item["Value"].replace('\xa0', '').strip()
}
| App developer, Python skills |
| Insert records. | Use the following code as part of the previous `for` loop.change_response = route53_client.change_resource_record_sets(
HostedZoneId="xxxxxxxx",
ChangeBatch={
'Comment': 'Created by automation',
'Changes': [
{
'Action': 'UPSERT',
'ResourceRecordSet': {
'Name': fqn_name,
'Type': rec_type,
'TTL': item["TTL"],
'ResourceRecords': res_rec
}
}
]
}
)
Where `xxxxxxx` is the hosted zone ID from the first step of this epic. | App developer, Python skills |
## Related resources
**References**
+ [Creating records by importing a zone file](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating-import.html) (Amazon Route 53 documentation)
+ [create\$1hosted\$1zone method](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/route53.html#Route53.Client.create_hosted_zone) (Boto3 documentation)
+ [change\$1resource\$1record\$1sets method](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/route53.html#Route53.Client.change_resource_record_sets) (Boto3 documentation)
**Tutorials and videos **
+ [The Python Tutorial](https://docs.python.org/3/tutorial/) (Python documentation)
+ [DNS design using Amazon Route 53](https://www.youtube.com/watch?v=2y_RBjDkRgY) (YouTube video, *AWS Online Tech Talks*)
# Modify HTTP headers when you migrate from F5 to an Application Load Balancer on AWS
*Sachin Trivedi, Amazon Web Services*
## Summary
When you migrate an application that uses an F5 Load balancer to Amazon Web Services (AWS) and want to use an Application Load Balancer on AWS, migrating F5 rules for header modifications is a common problem. An Application Load Balancer doesn’t support header modifications, but you can use Amazon CloudFront as a content delivery network (CDN) and Lambda@Edge to modify headers.
This pattern describes the required integrations and provides sample code for header modification by using AWS CloudFront and Lambda@Edge.
## Prerequisites and limitations
**Prerequisites **
+ An on-premises application that uses an F5 load balancer with a configuration that replaces the HTTP header value by using `if, else`. For more information about this configuration, see [HTTP::header](https://clouddocs.f5.com/api/irules/HTTP__header.html) in the F5 product documentation.
**Limitations **
+ This pattern applies to F5 load balancer header customization. For other third-party load balancers, please check the load balancer documentation for support information.
+ The Lambda functions that you use for Lambda@Edge must be in the US East (N. Virginia) Region.
## Architecture
The following diagram shows the architecture on AWS, including the integration flow between the CDN and other AWS components.
![\[Architecture for header modification by using Amazon CloudFront and Lambda@Edge\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/00abbe3c-2453-4291-9b24-b488dced4868/images/4ee9a19e-6da2-4c5a-a8bc-19d3918a166e.png)
## Tools
**AWS services**
+ [Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html) ─ An Application Load Balancer is an AWS fully managed load balancing service that functions at the seventh layer of the Open Systems Interconnection (OSI) model. It balances traffic across multiple targets and supports advanced routing requests based on HTTP headers and methods, query strings, and host-based or path-based routing.
+ [Amazon CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html) – Amazon CloudFront is a web service that speeds up the distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations for lower latency and improved performance.
+ [Lambda@Edge](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-at-the-edge.html) ─ Lambda@Edge is an extension of AWS Lambda that lets you run functions to customize the content that CloudFront delivers. You can author functions in the US East (N. Virginia) Region, and then associate the function with a CloudFront distribution to automatically replicate your code around the world, without provisioning or managing servers. This reduces latency and improves the user experience.
**Code**
The following sample code provides a blueprint for modifying CloudFront response headers. Follow the instructions in the *Epics* section to deploy the code.
```
exports.handler = async (event, context) => {
const response = event.Records[0].cf.response;
const headers = response.headers;
const headerNameSrc = 'content-security-policy';
const headerNameValue = '*.xyz.com';
if (headers[headerNameSrc.toLowerCase()]) {
headers[headerNameSrc.toLowerCase()] = [{
key: headerNameSrc,
value: headerNameValue,
}];
console.log(`Response header "${headerNameSrc}" was set to ` +
`"${headers[headerNameSrc.toLowerCase()][0].value}"`);
}
else {
headers[headerNameSrc.toLowerCase()] = [{
key: headerNameSrc,
value: headerNameValue,
}];
}
return response;
};
```
## Epics
### Create a CDN distribution
| Task | Description | Skills required |
| --- | --- | --- |
| Create a CloudFront web distribution. | In this step, you create a CloudFront distribution to tell CloudFront where you want content to be delivered from, and the details about how to track and manage content delivery.To create a distribution by using the console, sign in to the AWS Management Console, open the [CloudFront console](https://console.aws.amazon.com/cloudfront/v3/home), and then follow the steps in the [CloudFront documentation](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-creating-console.html). | Cloud administrator |
### Create and deploy the Lambda@Edge function
| Task | Description | Skills required |
| --- | --- | --- |
| Create and deploy a Lambda@Edge function. | You can create a Lambda@Edge function by using a blueprint for modifying CloudFront response headers. (Other bluePrints are available for different use cases; for more information, see [Lambda@Edge example functions](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html) in the CloudFront documentation.) To create a Lambda@Edge function:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/modify-http-headers-when-you-migrate-from-f5-to-an-application-load-balancer-on-aws.html) | AWS administrator |
| Deploy the Lambda@Edge function. | Follow the instructions in [step 4](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-how-it-works-tutorial.html#lambda-edge-how-it-works-tutorial-add-trigger) of the *Tutorial: Creating a simple Lambda@Edge function* in the Amazon CloudFront documentation to configure the CloudFront trigger and deploy the function. | AWS administrator |
## Related resources
**CloudFront documentation**
+ [Request and response behavior for custom origins](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html)
+ [Working with distributions](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-working-with.html)
+ [Lambda@Edge example functions](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html)
+ [Customizing at the edge with Lambda@Edge](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-at-the-edge.html)
+ [Tutorial: Creating a simple Lambda@Edge function](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-how-it-works-tutorial.html)
# Create a report of Network Access Analyzer findings for inbound internet access in multiple AWS accounts
*Mike Virgilio, Amazon Web Services*
## Summary
Unintentional inbound internet access to AWS resources can pose risks to an organization’s data perimeter. [Network Access Analyzer](https://docs.aws.amazon.com/vpc/latest/network-access-analyzer/what-is-network-access-analyzer.html) is an Amazon Virtual Private Cloud (Amazon VPC) feature that helps you identify unintended network access to your resources on Amazon Web Services (AWS). You can use Network Access Analyzer to specify your network access requirements and to identify potential network paths that do not meet your specified requirements. You can use Network Access Analyzer to do the following:
1. Identify AWS resources that are accessible to the internet through internet gateways.
1. Validate that your virtual private clouds (VPCs) are appropriately segmented, such as isolating production and development environments and separating transactional workloads.
Network Access Analyzer analyzes end-to-end network reachability conditions and not just a single component. To determine whether a resource is internet accessible, Network Access Analyzer evaluates the internet gateway, VPC route tables, network access control lists (ACLs), public IP addresses on elastic network interfaces, and security groups. If any of these components prevent internet access, Network Access Analyzer doesn’t generate a finding. For example, if an Amazon Elastic Compute Cloud (Amazon EC2) instance has an open security group that allows traffic from `0/0` but the instance is in a private subnet that isn’t routable from any internet gateway, then Network Access Analyzer wouldn’t generate a finding. This provides high-fidelity results so that you can identify resources that are truly accessible from the internet.
When you run Network Access Analyzer, you use [Network Access Scopes](https://docs.aws.amazon.com/vpc/latest/network-access-analyzer/what-is-network-access-analyzer.html#concepts) to specify your network access requirements. This solution identifies network paths between an internet gateway and an elastic network interface. In this pattern, you deploy the solution in a centralized AWS account in your organization, managed by AWS Organizations, and it analyzes all of the accounts, in any AWS Region, in the organization.
This solution was designed with the following in mind:
+ The AWS CloudFormation templates reduce the effort required to deploy the AWS resources in this pattern.
+ You can adjust the parameters in the CloudFormation templates and **naa-script.sh** script at the time of deployment to customize them for your environment.
+ Bash scripting automatically provisions and analyzes the Network Access Scopes for multiple accounts, in parallel.
+ A Python script processes the findings, extracts the data, and then consolidates the results. You can choose to review the consolidated report of Network Access Analyzer findings in CSV format or in AWS Security Hub CSPM. An example of the CSV report is available in the [Additional information](#create-a-report-of-network-access-analyzer-findings-for-inbound-internet-access-in-multiple-aws-accounts-additional) section of this pattern.
+ You can remediate findings, or you can exclude them from future analyses by adding them to the **naa-exclusions.csv** file.
## Prerequisites and limitations
**Prerequisites**
+ An AWS account for hosting security services and tools, managed as a member account of an organization in AWS Organizations. In this pattern, this account is referred to as the security account.
+ In the security account, you must have a private subnet with outbound internet access. For instructions, see [Create a subnet](https://docs.aws.amazon.com/vpc/latest/userguide/create-subnets.html) in the Amazon VPC documentation. You can establish internet access by using an [NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) or an [interface VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html).
+ Access to the AWS Organizations management account or an account that has delegated administrator permissions for CloudFormation. For instructions, see [Register a delegated administrator](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html) in the CloudFormation documentation.
+ Enable trusted access between AWS Organizations and CloudFormation. For instructions, see [Enable trusted access with AWS Organizations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html) in the CloudFormation documentation.
+ If you’re uploading the findings to Security Hub CSPM, Security Hub CSPM must be enabled in the account and AWS Region where the Amazon EC2 instance is provisioned. For more information, see [Setting up AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html).
**Limitations**
+ Cross-account network paths are not currently analyzed due to limitations of the Network Access Analyzer feature.
+ The target AWS accounts must be managed as an organization in AWS Organizations. If you are not using AWS Organizations, you can update the **naa-execrole.yaml** CloudFormation template and the **naa-script.sh** script for your environment. Instead, you provide a list of AWS account IDs and Regions where you want to run the script.
+ The CloudFormation template is designed to deploy the Amazon EC2 instance in a private subnet that has outbound internet access. The AWS Systems Manager Agent (SSM Agent) requires outbound access to reach the Systems Manager service endpoint, and you need outbound access to clone the code repository and install dependencies. If you want to use a public subnet, you must modify the **naa-resources.yaml** template to associate an [Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html) with the Amazon EC2 instance.
## Architecture
**Target architecture**
*Option 1: Access findings in an Amazon S3 bucket*
![\[Architecture diagram of accessing the Network Access Analyzer findings report in an Amazon S3 bucket\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/eda6abba-632a-4e3d-92b9-31848fa6dead/images/d0b08437-e5b0-47a1-abdd-040c67b5da8f.png)
The diagram shows the following process:
1. If you’re manually running the solution, the user authenticates to the Amazon EC2 instance by using Session Manager and then runs the **naa-script.sh** script. This shell script performs steps 2–7.
If you’re automatically running the solution, the **naa-script.sh** script starts automatically on the schedule you defined in the cron expression. This shell script performs steps 2–7. For more information, see *Automation and scale* at the end of this section.
1. The Amazon EC2 instance downloads the latest **naa-exception.csv** file from the Amazon S3 bucket. This file is used later in the process when the Python script processes the exclusions.
1. The Amazon EC2 instance assumes the `NAAEC2Role` AWS Identity and Access Management (IAM) role, which grants permissions to access the Amazon S3 bucket and to assume the `NAAExecRole` IAM roles in the other accounts in the organization.
1. The Amazon EC2 instance assumes the `NAAExecRole` IAM role in the organization’s management account and generates a list of the accounts in the organization.
1. The Amazon EC2 instance assumes the `NAAExecRole` IAM role in the organization’s member accounts (called *workload accounts* in the architecture diagram) and performs a security assessment in each account. The findings are stored as JSON files on the Amazon EC2 instance.
1. The Amazon EC2 instance uses a Python script to process the JSON files, extract the data fields, and create a CSV report.
1. The Amazon EC2 instance uploads the CSV file to the Amazon S3 bucket.
1. An Amazon EventBridge rule detects the file upload and uses an Amazon SNS topic to send an email that notifies the user that the report is complete.
1. The user downloads the CSV file from the Amazon S3 bucket. The user imports the results into the Excel template and reviews the results.
*Option 2: Access findings in AWS Security Hub CSPM*
![\[Architecture diagram of accessing the Network Access Analyzer findings through AWS Security Hub\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/eda6abba-632a-4e3d-92b9-31848fa6dead/images/9cb4f059-dfb6-4a33-9f8d-159fe5df0d64.png)
The diagram shows the following process:
1. If you’re manually running the solution, the user authenticates to the Amazon EC2 instance by using Session Manager and then runs the **naa-script.sh** script. This shell script performs steps 2–7.
If you’re automatically running the solution, the **naa-script.sh** script starts automatically on the schedule you defined in the cron expression. This shell script performs steps 2–7. For more information, see *Automation and scale* at the end of this section.
1. The Amazon EC2 instance downloads the latest **naa-exception.csv** file from the Amazon S3 bucket. This file is used later in the process when the Python script processes the exclusions.
1. The Amazon EC2 instance assumes the `NAAEC2Role` IAM role, which grants permissions to access the Amazon S3 bucket and to assume the `NAAExecRole` IAM roles in the other accounts in the organization.
1. The Amazon EC2 instance assumes the `NAAExecRole` IAM role in the organization’s management account and generates a list of the accounts in the organization.
1. The Amazon EC2 instance assumes the `NAAExecRole` IAM role in the organization’s member accounts (called *workload accounts* in the architecture diagram) and performs a security assessment in each account. The findings are stored as JSON files on the Amazon EC2 instance.
1. The Amazon EC2 instance uses a Python script to process the JSON files and extract the data fields for import into Security Hub CSPM.
1. The Amazon EC2 instance imports the Network Access Analyzer findings to Security Hub CSPM.
1. An Amazon EventBridge rule detects the import and uses an Amazon SNS topic to send an email that notifies the user that the process is complete.
1. The user views the findings in Security Hub CSPM.
**Automation and scale**
You can schedule this solution to run the **naa-script.sh** script automatically on a custom schedule. To set a custom schedule, in the **naa-resources.yaml** CloudFormation template, modify the `CronScheduleExpression` parameter. For example, the default value of `0 0 * * 0` runs the solution at midnight on every Sunday. A value of `0 0 * 1-12 0` would run the solution at midnight on the first Sunday of every month. For more information about using cron expressions, see [Cron and rate expressions](https://docs.aws.amazon.com/systems-manager/latest/userguide/reference-cron-and-rate-expressions.html) in the Systems Manager documentation.
If you want adjust the schedule after the `NAA-Resources` stack has been deployed, you can manually edit the cron schedule in `/etc/cron.d/naa-schedule`.
## Tools
**AWS services**
+ [Amazon Elastic Compute Cloud (Amazon EC2)](https://docs.aws.amazon.com/ec2/) provides scalable computing capacity in the AWS Cloud. You can launch as many virtual servers as you need and quickly scale them up or down.
+ [Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html) is a serverless event bus service that helps you connect your applications with real-time data from a variety of sources. For example, AWS Lambda functions, HTTP invocation endpoints using API destinations, or event buses in other AWS accounts.
+ [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.
+ [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) is an account management service that helps you consolidate multiple AWS accounts into an organization that you create and centrally manage.
+ [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) provides a comprehensive view of your security state in AWS. It also helps you check your AWS environment against security industry standards and best practices.
+ [Amazon Simple Notification Service (Amazon SNS)](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) helps you coordinate and manage the exchange of messages between publishers and clients, including web servers and email addresses.
+ [Amazon Simple Storage Service (Amazon S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) is a cloud-based object storage service that helps you store, protect, and retrieve any amount of data.
+ [AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) helps you manage your applications and infrastructure running in the AWS Cloud. It simplifies application and resource management, shortens the time to detect and resolve operational problems, and helps you manage your AWS resources securely at scale. This pattern uses Session Manager, a capability of Systems Manager.
**Code repository**
The code for this pattern is available in the GitHub [Network Access Analyzer Multi-Account Analysis](https://github.com/aws-samples/network-access-analyzer-multi-account-analysis) repository. The code repository contains the following files:
+ **naa-script.sh** – This bash script is used to start a Network Access Analyzer analysis of multiple AWS accounts, in parallel. As defined in the **naa-resources.yaml** CloudFormation template, this script is automatically deployed to the `/usr/local/naa` folder on the Amazon EC2 instance.
+ **naa-resources.yaml** – You use this CloudFormation template to create a stack in the security account in the organization. This template deploys all of the required resources for this account in order to support the solution. This stack must be deployed before the **naa-execrole.yaml** template.
**Note**
If this stack is deleted and redeployed, you must rebuild the `NAAExecRole` stack set in order to rebuild the cross-account dependencies between the IAM roles.
+ **naa-execrole.yaml** – You use this CloudFormation template to create a stack set that deploys the `NAAExecRole` IAM role in all accounts in the organization, including the management account.
+ **naa-processfindings.py** – The **naa-script.sh **script automatically calls this Python script to process the Network Access Analyzer JSON outputs, exclude any known-good resources in the **naa-exclusions.csv** file, and then either generate a CSV file of the consolidated results or import the results into Security Hub CSPM.
## Epics
### Prepare for deployment
| Task | Description | Skills required |
| --- | --- | --- |
| Clone the code repository. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/create-a-report-of-network-access-analyzer-findings-for-inbound-internet-access-in-multiple-aws-accounts.html) | AWS DevOps |
| Review the templates. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/create-a-report-of-network-access-analyzer-findings-for-inbound-internet-access-in-multiple-aws-accounts.html) | AWS DevOps |
### Create the CloudFormation stacks
| Task | Description | Skills required |
| --- | --- | --- |
| Provision resources in the security account. | Using the **naa-resources.yaml** template, you create a CloudFormation stack that deploys all of the required resources in the security account. For instructions, see [Creating a stack](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-create-stack.html) in the CloudFormation documentation. Note the following when deploying this template:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/create-a-report-of-network-access-analyzer-findings-for-inbound-internet-access-in-multiple-aws-accounts.html)[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/create-a-report-of-network-access-analyzer-findings-for-inbound-internet-access-in-multiple-aws-accounts.html) | AWS DevOps |
| Provision the IAM role in the member accounts. | In the AWS Organizations management account or an account with delegated administrator permissions for CloudFormation, use the **naa-execrole.yaml** template to create a CloudFormation stack set. The stack set deploys the `NAAExecRole` IAM role in all member accounts in the organization. For instructions, see [Create a stack set with service-managed permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html#stacksets-orgs-associate-stackset-with-org) in the CloudFormation documentation. Note the following when deploying this template:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/create-a-report-of-network-access-analyzer-findings-for-inbound-internet-access-in-multiple-aws-accounts.html) | AWS DevOps |
| Provision the IAM role in the management account. | Using the **naa-execrole.yaml** template, you create a CloudFormation stack that deploys the `NAAExecRole` IAM role in the management account of the organization. The stack set you created previously doesn’t deploy the IAM role in the management account. For instructions, see [Creating a stack](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-create-stack.html) in the CloudFormation documentation. Note the following when deploying this template:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/create-a-report-of-network-access-analyzer-findings-for-inbound-internet-access-in-multiple-aws-accounts.html) | AWS DevOps |
### Perform the analysis
| Task | Description | Skills required |
| --- | --- | --- |
| Customize the shell script. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/create-a-report-of-network-access-analyzer-findings-for-inbound-internet-access-in-multiple-aws-accounts.html) | AWS DevOps |
| Analyze the target accounts. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/create-a-report-of-network-access-analyzer-findings-for-inbound-internet-access-in-multiple-aws-accounts.html) | AWS DevOps |
| Option 1 – Retrieve the results from the Amazon S3 bucket. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/create-a-report-of-network-access-analyzer-findings-for-inbound-internet-access-in-multiple-aws-accounts.html) | AWS DevOps |
| Option 2 – Review the results in Security Hub CSPM. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/create-a-report-of-network-access-analyzer-findings-for-inbound-internet-access-in-multiple-aws-accounts.html) | AWS DevOps |
### Remediate and exclude findings
| Task | Description | Skills required |
| --- | --- | --- |
| Remediate findings. | Remediate any findings that you want to address. For more information and best practices about how to create a perimeter around your AWS identities, resources, and networks, see [Building a data perimeter on AWS](https://docs.aws.amazon.com/whitepapers/latest/building-a-data-perimeter-on-aws/building-a-data-perimeter-on-aws.html) (AWS Whitepaper). | AWS DevOps |
| Exclude resources with known-good network paths. | If Network Access Analyzer generates findings for resources that should be accessible from the internet, then you can add these resources to an exclusion list. The next time Network Access Analyzer runs, it won’t generate a finding for that resource.[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/create-a-report-of-network-access-analyzer-findings-for-inbound-internet-access-in-multiple-aws-accounts.html) | AWS DevOps |
### (Optional) Update the naa-script.sh script
| Task | Description | Skills required |
| --- | --- | --- |
| Update the naa-script.sh script. | If you want to update the **naa-script.sh** script to the latest version in the repo, do the following:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/create-a-report-of-network-access-analyzer-findings-for-inbound-internet-access-in-multiple-aws-accounts.html) | AWS DevOps |
### (Optional) Clean up
| Task | Description | Skills required |
| --- | --- | --- |
| Delete all deployed resources. | You can leave the resources deployed in the accounts.If you want to deprovision all resources, do the following:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/create-a-report-of-network-access-analyzer-findings-for-inbound-internet-access-in-multiple-aws-accounts.html) | AWS DevOps |
## Troubleshooting
| Issue | Solution |
| --- | --- |
| Unable to connect to the Amazon EC2 instance by using Session Manager. | The SSM Agent must be able to communicate with the Systems Manager endpoint. Do the following:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/create-a-report-of-network-access-analyzer-findings-for-inbound-internet-access-in-multiple-aws-accounts.html) |
| When deploying the stack set, the CloudFormation console prompts you to `Enable trusted access with AWS Organizations to use service-managed permissions`. | This indicates that trusted access has not been enabled between AWS Organizations and CloudFormation. Trusted access is required to deploy the service-managed stack set. Choose the button to enable trusted access. For more information, see [Enable trusted access](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html) in the CloudFormation documentation. |
## Related resources
+ [New – Amazon VPC Network Access Analyzer](https://aws.amazon.com/blogs/aws/new-amazon-vpc-network-access-analyzer/) (AWS blog post)
+ [AWS re:Inforce 2022 - Validate effective network access controls on AWS (NIS202)](https://youtu.be/aN2P2zeQek0) (video)
+ [Demo - Organization-wide Internet Ingress Data Path Analysis Using Network Access Analyzer](https://youtu.be/1IFNZWy4iy0) (video)
## Additional information
**Example console output**
The following sample shows the output of generating the list of target accounts and analyzing the target accounts.
```
[root@ip-10-10-43-82 naa]# ./naa-script.sh
download: s3://naa--us-east-1/naa-exclusions.csv to ./naa-exclusions.csv
AWS Management Account:
AWS Accounts being processed...
Assessing AWS Account: , using Role: NAAExecRole
Assessing AWS Account: , using Role: NAAExecRole
Assessing AWS Account: , using Role: NAAExecRole
Processing account: / Region: us-east-1
Account: / Region: us-east-1 – Detecting Network Analyzer scope...
Processing account: / Region: us-east-1
Account: / Region: us-east-1 – Detecting Network Analyzer scope...
Processing account: / Region: us-east-1
Account: / Region: us-east-1 – Detecting Network Analyzer scope...
Account: / Region: us-east-1 – Network Access Analyzer scope detected.
Account: / Region: us-east-1 – Continuing analyses with Scope ID. Accounts with many resources may take up to one hour
Account: / Region: us-east-1 – Network Access Analyzer scope detected.
Account: / Region: us-east-1 – Continuing analyses with Scope ID. Accounts with many resources may take up to one hour
Account: / Region: us-east-1 – Network Access Analyzer scope detected.
Account: / Region: us-east-1 – Continuing analyses with Scope ID. Accounts with many resources may take up to one hour
```
**CSV report examples**
The following images are examples of the CSV output.
![\[Example 1 of the CSV report generated by this solution.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/eda6abba-632a-4e3d-92b9-31848fa6dead/images/55e02e61-054e-4da6-aaae-c9a8b6f4f272.png)
![\[Example 2 of the CSV report generated by this solution.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/eda6abba-632a-4e3d-92b9-31848fa6dead/images/95f980ad-92c1-4392-92d4-9c742755aab2.png)
# Set up DNS resolution for hybrid networks in a multi-account AWS environment
*Anvesh Koganti, Amazon Web Services*
## Summary
This pattern provides a comprehensive solution for setting up DNS resolution in hybrid network environments that include multiple Amazon Web Services (AWS) accounts. It enables bidirectional DNS resolution between on-premises networks and the AWS environment through Amazon Route 53 Resolver endpoints. The pattern presents two solutions to enable DNS resolution in a [multi-account, centralized architecture](https://docs.aws.amazon.com/whitepapers/latest/hybrid-cloud-dns-options-for-vpc/scaling-dns-management-across-multiple-accounts-and-vpcs.html#multi-account-centralized):
+ *Basic setup* doesn't use Route 53 Profiles. It helps optimize costs for small to medium deployments of lower complexity.
+ *Enhanced setup* uses Route 53 Profiles to simplify operations. It is best for larger or more complex DNS deployments.
**Note**
Review the *Limitations* section for service limitations and quotas before implementation. Consider factors such as management overhead, costs, operational complexity, and team expertise when you make your decision.
## Prerequisites and limitations
**Prerequisites **
+ An AWS multi-account environment with Amazon Virtual Private Cloud (Amazon VPC) deployed across Shared Services and workload accounts (preferably set up through [AWS Control Tower by following AWS best practices](https://docs.aws.amazon.com/controltower/latest/userguide/aws-multi-account-landing-zone.html) for account structure).
+ Existing hybrid connectivity (AWS Direct Connect or AWS Site-to-Site VPN) between your on-premises network and the AWS environment.
+ Amazon VPC peering, AWS Transit Gateway, or AWS Cloud WAN for Layer 3 network connectivity between VPCs. (This connectivity is required for application traffic. It is not required for DNS resolution to work. DNS resolution operates independently of network connectivity between the VPCs.)
+ DNS servers running in the on-premises environment.
**Limitations**
+ Route 53 Resolver endpoints, rules, and Profiles are Regional constructs and might require replication in multiple AWS Regions for global organizations.
+ For a comprehensive list of service quotas for Route 53 Resolver, private hosted zones, and Profiles, see [Quotas](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DNSLimitations.html) in the Route 53 documentation.
## Architecture
**Target technology stack **
+ Route 53 outbound and inbound endpoints
+ Route 53 Resolver rules for conditional forwarding
+ AWS Resource Access Manager (AWS RAM)
+ Route 53 private hosted zone
**Target architecture **
**Outbound and inbound endpoints**
The following diagram shows the DNS resolution flow from AWS to on premises. This is the connectivity setup for outbound resolutions where the domain is hosted on premises. Here is a high-level overview of the process involved in setting this up. For details, see the [Epics](#set-up-dns-resolution-for-hybrid-networks-in-a-multi-account-aws-environment-epics) section.
1. Deploy outbound Route 53 Resolver endpoints in the Shared Services VPC.
1. Create Route 53 Resolver rules (forwarding rules) in the Shared Services account for domains that are hosted on premises.
1. Share and associate the rules with VPCs in other accounts that host resources that need to resolve on-premises hosted domains. This can be done in different ways depending on your use case, as described later in this section.
![\[Inbound and outbound endpoints in an AWS to on premises DNS resolution flow.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/01e700cd-be8c-4a5d-bc89-b901a260d045/images/d69d4cad-5e2c-4481-9370-2708e8a4f8c1.png)
After you set up connectivity, the steps involved in the outbound resolution are as follows:
1. The Amazon Elastic Compute Cloud (Amazon EC2) instance sends a DNS resolution request for `db.onprem.example.com` to the VPC's Route 53 Resolver at the VPC\$12 address.
1. Route 53 Resolver checks the Resolver rules and forwards the request to the on-premises DNS server IPs by using the outbound endpoint.
1. The outbound endpoint forwards the request to the on-premises DNS IPs. The traffic goes over the established hybrid network connectivity between the Shared Services VPC and the on-premises data center.
1. The on-premises DNS server responds back to the outbound endpoint, which then forwards the response back to the VPC's Route 53 Resolver. The Resolver returns the response to the EC2 instance.
The next diagram shows the DNS resolution flow from the on-premises environment to AWS. This is the connectivity setup for inbound resolutions where the domain is hosted on AWS. Here is a high-level overview of the process involved in setting this up. For details, see the [Epics](#set-up-dns-resolution-for-hybrid-networks-in-a-multi-account-aws-environment-epics) section.
1. Deploy inbound Resolver endpoints in the Shared Services VPC.
1. Create private hosted zones in the Shared Services account (centralized approach).
1. Associate the private hosted zones with the Shared Services VPC. Share and associate these zones with cross-account VPCs for VPC-to-VPC DNS resolution. This can be done in different ways depending on your use case, as described later in this section.
![\[Inbound and outbound endpoints in an on premises to AWS DNS resolution flow.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/01e700cd-be8c-4a5d-bc89-b901a260d045/images/a6f5348c-2041-453e-8939-2b4ee0b7ebd8.png)
After you set up connectivity, the steps involved in the inbound resolution are as follows:
1. The on-premises resource sends a DNS resolution request for `ec2.prod.aws.example.com` to the on-premises DNS server.
1. The on-premises DNS server forwards the request to the inbound Resolver endpoint in the Shared Services VPC over the hybrid network connection.
1. The inbound Resolver endpoint looks up the request in the associated private hosted zone with the help of the VPC Route 53 Resolver and gets the appropriate IP address.
1. These IP addresses are sent back to the on-premises DNS server, which returns the response to the on-premises resource.
This configuration enables on-premises resources to resolve AWS private domain names by routing queries through the inbound endpoints to the appropriate private hosted zone. In this architecture, private hosted zones are centralized in a Shared Services VPC, which allows for central DNS management by a single team. These zones can be associated with many VPCs to address the VPC-to-VPC DNS resolution use case. Alternatively, you might want to delegate DNS domain ownership and management to each AWS account. In that case, each account manages its own private hosted zones and associates each zone with the central Shared Services VPC for a unified resolution with the on-premises environment. This decentralized approach is outside the scope of this pattern. For more information, see [Scaling DNS management across multiple accounts and VPCs](https://docs.aws.amazon.com/whitepapers/latest/hybrid-cloud-dns-options-for-vpc/scaling-dns-management-across-multiple-accounts-and-vpcs.html) in the *Hybrid Cloud DNS Options for Amazon VPC* whitepaper.
When you establish the fundamental DNS resolution flows by using Resolver endpoints, you need to determine how to manage the sharing and association of Resolver rules and private hosted zones across your AWS accounts. You can approach this in two ways: through self-managed sharing by using AWS RAM to share Resolver rules and direct private hosted zone associations, as detailed in the *Basic setup* section, or through Route 53 Profiles, as discussed in the *Enhanced setup* section. The choice depends on your organization's DNS management preferences and operational requirements. The following architecture diagrams illustrate a scaled environment that includes multiple VPCs across different accounts, which represents a typical enterprise deployment.
**Basic setup**
In basic setup, the implementation for hybrid DNS resolution in a multi-account AWS environment uses AWS RAM to share Resolver forwarding rules and private hosted zone associations to manage DNS queries between on-premises and AWS resources. This method uses centralized Route 53 Resolver endpoints in a Shared Services VPC that's connected to your on-premises network to handle both inbound and outbound DNS resolution efficiently.
+ For outbound resolution, Resolver forwarding rules are created in the Shared Services account and then shared with other AWS accounts by using AWS RAM. This sharing is limited to accounts within the same Region. The target accounts can then associate these rules with their VPCs and enable the resources in those VPCs to resolve on-premises domain names.
+ For inbound resolution, private hosted zones are created in the Shared Services account and associated with the Shared Services VPC. These zones can then be associated with VPCs in other accounts by using the Route 53 API, AWS SDKs, or the AWS Command Line Interface (AWS CLI). The resources in associated VPCs can then resolve DNS records defined in the private hosted zones, which creates a unified DNS view across your AWS environment.
The following diagram shows DNS resolution flows in this basic setup.
![\[Using basic setup for hybrid DNS resolution in a multi-account AWS environment.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/01e700cd-be8c-4a5d-bc89-b901a260d045/images/258e4bcd-e9c6-43b5-bab8-856ca22206b9.png)
This setup works well when you work with DNS infrastructure on a limited scale. However, it can become challenging to manage as your environment grows. The operational overhead of managing how private hosted zone and Resolver rules are shared and associated with VPCs individually increases significantly with scale. Additionally, service quotas such as the 300 VPC association limit per private hosted zone can become constraining factors in large-scale deployments. Enhanced setup addresses these challenges.
**Enhanced setup**
Route 53 Profiles offer a streamlined solution for managing DNS resolution in hybrid networks across multiple AWS accounts. Instead of managing private hosted zones and Resolver rules individually, you can group DNS configurations into a single container that can be easily shared and applied across multiple VPCs and accounts in a Region. This setup maintains the centralized Resolver endpoint architecture in a Shared Services VPC while significantly simplifying the management of DNS configurations.
The following diagram shows DNS resolution flows in an enhanced setup.
![\[Using advanced setup with Route 53 Profiles for hybrid DNS resolution in a multi-account AWS environment.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/01e700cd-be8c-4a5d-bc89-b901a260d045/images/55b9681d-ddb4-4a55-b4ec-fc9afa9870fa.png)
Route 53 Profiles let you package private hosted zone associations, Resolver forwarding rules, and DNS firewall rules into a single, shareable unit. You can create Profiles in the Shared Services account and share them with member accounts by using AWS RAM. When a profile is shared and applied to target VPCs, all necessary associations and configurations are automatically handled by the service. This significantly reduces the operational overhead of DNS management and provides excellent scalability for growing environments.
**Automation and scale**
Use infrastructure as code (IaC) tools such as CloudFormation or Terraform to automatically provision and manage Route 53 Resolver endpoints, rules, private hosted zones, and Profiles. Integrate DNS configuration with continuous integration and continuous delivery (CI/CD) pipelines for consistency, repeatability, and rapid updates.
## Tools
**AWS services**
+ [AWS Resource Access Manager (AWS RAM)](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html) helps you securely share your resources across AWS accounts to reduce operational overhead and provide visibility and auditability.
+ [Amazon Route 53 Resolver](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html) responds recursively to DNS queries from AWS resources and is available by default in all VPCs. You can create Resolver endpoints and conditional forwarding rules to resolve DNS namespaces between your on-premises data center and your VPCs.
+ [Amazon Route 53 private hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html) is a container that holds information about how you want Route 53 to respond to DNS queries for a domain and its subdomains.
+ [Amazon Route 53 Profiles](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/profiles.html) allow you to apply and manage DNS-related Route 53 configurations across many VPCs and in different AWS accounts in a simplified manner.
## Best practices
This section provides some of the best practices for optimizing Route 53 Resolver. These represent a subset of Route 53 best practices. For a comprehensive list, see [Best practices for Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/best-practices.html).
**Avoid loop configurations with Resolver endpoints**
+ Design your DNS architecture to prevent recursive routing by carefully planning VPC associations. When a VPC hosts an inbound endpoint, avoid associating it with Resolver rules that could create circular references.
+ Use AWS RAM strategically when you share DNS resources across accounts to maintain clean routing paths.
For more information, see [Avoid loop configurations with Resolver endpoints](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/best-practices-resolver-endpoints.html) in the Route 53 documentation.
**Scale Resolver endpoints**
+ For environments that require a high number of queries per second (QPS), be aware that there is a limit of 10,000 QPS per ENI in an endpoint. More ENIs can be added to an endpoint to scale DNS QPS.
+ Amazon CloudWatch provides `InboundQueryVolume` and `OutboundQueryVolume` metrics (see the [CloudWatch documentation](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/monitoring-resolver-with-cloudwatch.html)). We recommend that you set up monitoring rules that alert you if the threshold exceeds a certain value (for example, 80 percent of 10,000 QPS).
+ Configure stateful security group rules for Resolver endpoints to prevent connection tracking limits from causing DNS query throttling during high-volume traffic. To learn more about how connection tracking works in security groups, see [Amazon EC2 security group connection tracking](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html) in the Amazon EC2 documentation.
For more information, see [Resolver endpoint scaling](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/best-practices-resolver-endpoint-scaling.html) in the Route 53 documentation.
**Provide high availability for Resolver endpoints**
+ Create inbound endpoints with IP addresses in at least two Availability Zones for redundancy.
+ Provision additional network interfaces to ensure availability during maintenance or traffic surges.
For more information, see [High availability for Resolver endpoints](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/best-practices-resolver-endpoint-high-availability.html) in the Route 53 documentation.
## Epics
### Deploy Route 53 Resolver endpoints
| Task | Description | Skills required |
| --- | --- | --- |
| Deploy an inbound endpoint. | Route 53 Resolver uses the inbound endpoint to receive DNS queries from on-premises DNS resolvers. For instructions, see [Forwarding inbound DNS queries to your VPCs ](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-forwarding-inbound-queries.html)in the Route 53 documentation. Make a note of the inbound endpoint IP address. | AWS administrator, Cloud administrator |
| Deploy an outbound endpoint. | Route 53 Resolver uses the outbound endpoint to send DNS queries to on-premises DNS resolvers. For instructions, see [Forwarding outbound DNS queries to your network](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-forwarding-outbound-queries.html) in the Route 53 documentation. Make a note of the output endpoint ID. | AWS administrator, Cloud administrator |
### Configure and share Route 53 private hosted zones
| Task | Description | Skills required |
| --- | --- | --- |
| Create a private hosted zone for a domain that’s hosted on AWS. | This zone holds the DNS records for resources in an AWS-hosted domain (for example, `prod.aws.example.com`) that should be resolved from the on-premises environment. For instructions, see [Creating a private hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-creating.html) in the Route 53 documentation.When you create a private hosted zone, you must associate a VPC with the hosted zone owned by the same account. Select the Shared Services VPC for this purpose. | AWS administrator, Cloud administrator |
| Basic setup: Associate the private hosted zone with VPCs in other accounts. | If you're using basic setup (see the [Architecture](#set-up-dns-resolution-for-hybrid-networks-in-a-multi-account-aws-environment-architecture) section):To enable resources in the member account VPCs to resolve DNS records in this private hosted zone, you must associate your VPCs with the hosted zone. You must authorize the association and then make the association programmatically. For instructions, see [Associating an Amazon VPC and a private hosted zone that you created with different AWS accounts](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs-different-accounts.html) in the Route 53 documentation. | AWS administrator, Cloud administrator |
| Enhanced setup: Configure and share Route 53 Profiles. | If you're using enhanced setup (see the [Architecture](#set-up-dns-resolution-for-hybrid-networks-in-a-multi-account-aws-environment-architecture) section):[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/set-up-dns-resolution-for-hybrid-networks-in-a-multi-account-aws-environment.html)Depending on your organization's structure and DNS requirements, you might need to create and manage multiple Profiles for different accounts or workloads. | AWS administrator, Cloud administrator |
### Configure and share Route 53 Resolver forwarding rules
| Task | Description | Skills required |
| --- | --- | --- |
| Create a forwarding rule for a domain that’s hosted on premises. | This rule will instruct Route 53 Resolver to forward any DNS queries for on-premises domains (such as `onprem.example.com`) to on-premises DNS resolvers. To create this rule, you need the IP addresses of the on-premises DNS resolvers and the outbound endpoint ID. For instructions, see [Creating forwarding rules ](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-rules-managing-creating-rules.html)in the Route 53 documentation. | AWS administrator, Cloud administrator |
| Basic setup: Share and associate the forwarding rule with your VPCs in other accounts. | If you're using basic setup:For the forwarding rule to take effect, you must share and associate the rule with your VPCs in other accounts. Route 53 Resolver then takes the rule into consideration when it resolves a domain. For instructions, see [Sharing Resolver rules with other AWS accounts and using shared rules](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-rules-managing-sharing.html) and [Associating forwarding rules with a VPC ](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-rules-managing-associating-rules.html)in the Route 53 documentation. | AWS administrator, Cloud administrator |
| Enhanced setup: Configure and share Route 53 Profiles. | If you're using enhanced setup:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/set-up-dns-resolution-for-hybrid-networks-in-a-multi-account-aws-environment.html)Depending on your organization's structure and DNS requirements, you might need to create and manage multiple Profiles for different accounts or workloads. | AWS administrator, Cloud administrator |
### Configure on-premises DNS resolvers for AWS integration
| Task | Description | Skills required |
| --- | --- | --- |
| Configure conditional forwarding in the on-premises DNS resolvers. | For DNS queries to be sent to AWS from the on-premises environment for resolution, you must configure conditional forwarding in the on-premises DNS resolvers to point to the inbound endpoint IP address. This instructs the DNS resolvers to forward all DNS queries for the AWS-hosted domain (for example, for `prod.aws.example.com`) to the inbound endpoint IP address for resolution by Route 53 Resolver. | Network administrator |
### Verify end-to-end DNS resolution in a hybrid environment
| Task | Description | Skills required |
| --- | --- | --- |
| Test DNS resolution from AWS to the on-premises environment. | From an instance in a VPC that has the forwarding rule associated with it, perform a DNS query for an on-premises hosted domain (for example, for `db.onprem.example.com`). | Network administrator |
| Test DNS resolution from the on-premises environment to AWS. | From an on-premises server, perform DNS resolution for an AWS-hosted domain (for example, for `ec2.prod.aws.example.com`). | Network administrator |
## Related resources
+ [Hybrid Cloud DNS Options for Amazon VPC](https://docs.aws.amazon.com/whitepapers/latest/hybrid-cloud-dns-options-for-vpc/hybrid-cloud-dns-options-for-vpc.html) (AWS whitepaper)
+ [Working with private hosted zones](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html) (Route 53 documentation)
+ [Getting started with Route 53 Resolver](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-getting-started.html) (Route 53 documentation)
+ [Simplify DNS management in a multi-account environment with Route 53 Resolver](https://aws.amazon.com/blogs/security/simplify-dns-management-in-a-multiaccount-environment-with-route-53-resolver/) (AWS blog post)
+ [Unify DNS management using Amazon Route 53 Profiles with multiple VPCs and AWS accounts](https://aws.amazon.com/blogs/aws/unify-dns-management-using-amazon-route-53-profiles-with-multiple-vpcs-and-aws-accounts/) (AWS blog post)
+ [Migrating your multi-account DNS environment to Amazon Route 53 Profiles](https://aws.amazon.com/blogs/networking-and-content-delivery/migrating-your-multi-account-dns-environment-to-amazon-route-53-profiles/) (AWS blog post)
+ [Using Amazon Route 53 Profiles for scalable multi-account AWS environments](https://aws.amazon.com/blogs/networking-and-content-delivery/using-amazon-route-53-profiles-for-scalable-multi-account-aws-environments/) (AWS blog post)
# Verify that ELB load balancers require TLS termination
*Priyanka Chaudhary, Amazon Web Services*
## Summary
On the Amazon Web Services (AWS) Cloud, Elastic Load Balancing (ELB) automatically distributes incoming application traffic across multiple targets, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, IP addresses, and AWS Lambda functions. The load balancers use listeners to define the ports and protocols that the load balancer uses to accept traffic from users. Application Load Balancers make routing decisions at the application layer and use the HTTP/HTTPS protocols. Classic Load Balancers make routing decisions at either the transport layer, by using TCP or Secure Sockets Layer (SSL) protocols, or at the application layer, by using HTTP/HTTPS.
This pattern provides a security control that examines multiple event types for Application Load Balancers and Classic Load Balancers. When the function is invoked, AWS Lambda inspects the event and ensures that the load balancer is compliant.
The function initiates an Amazon CloudWatch Events event on the following API calls: [CreateLoadBalancer](https://docs.aws.amazon.com/elasticloadbalancing/2012-06-01/APIReference/API_CreateLoadBalancer.html), [CreateLoadBalancerListeners](https://docs.aws.amazon.com/elasticloadbalancing/2012-06-01/APIReference/API_CreateLoadBalancerListeners.html), [DeleteLoadBalancerListeners](https://docs.aws.amazon.com/elasticloadbalancing/2012-06-01/APIReference/API_DeleteLoadBalancerListeners.html), [CreateLoadBalancerPolicy](https://docs.aws.amazon.com/elasticloadbalancing/2012-06-01/APIReference/API_CreateLoadBalancerPolicy.html), [SetLoadBalancerPoliciesOfListener](https://docs.aws.amazon.com/elasticloadbalancing/2012-06-01/APIReference/API_SetLoadBalancerPoliciesOfListener.html), [CreateListener](https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_CreateListener.html), [DeleteListener](https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_DeleteListener.html), and [ModifyListener](https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_ModifyListener.html). When the event detects one of these APIs, it calls AWS Lambda, which runs a Python script. The Python script evaluates to see if the listener contains an SSL certificate, and if the policy that is applied is using Transport Layer Security (TLS). If the SSL policy is determined to be anything other than TLS, the function sends an Amazon Simple Notification Service (Amazon SNS) notification to the user with the relevant information.
## Prerequisites and limitations
**Prerequisites **
+ An active AWS account
**Limitations **
+ This security control does not check for existing load balancers, unless an update is made to the load balancer listeners.
+ This security control is regional. You must deploy it in each AWS Region you want to monitor.
## Architecture
**Target architecture**
![\[Ensuring that load balancers require TLS termination.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/da99cda2-ac34-4791-a2bd-d37264d8d3d9/images/af92b3c8-32bb-45eb-a2a8-d8276fb3e824.png)
**Automation and scale**
+ If you are using [AWS Organizations](https://aws.amazon.com/organizations/), you can use [AWS Cloudformation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html) to deploy this template in multiple accounts that you want to monitor.
## Tools
**AWS services**
+ [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) – AWS CloudFormation helps you model and set up your AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle. You can use a template to describe your resources and their dependencies, and launch and configure them together as a stack, instead of managing resources individually.
+ [Amazon CloudWatch Events](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html) – Amazon CloudWatch Events delivers a near real-time stream of system events that describe changes in AWS resources.
+ [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) – AWS Lambda is a compute service that supports running code without provisioning or managing servers.
+ [Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/dev/Welcome.html) – Amazon Simple Storage Service (Amazon S3) is a highly scalable object storage service that can be used for a wide range of storage solutions, including websites, mobile applications, backups, and data lakes.
+ [Amazon SNS](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) – Amazon Simple Notification Service (Amazon SNS) coordinates and manages the delivery or sending of messages between publishers and clients, including web servers and email addresses. Subscribers receive all messages published to the topics to which they subscribe, and all subscribers to a topic receive the same messages.
**Code**
This pattern includes the following attachments:
+ `ELBRequirestlstermination.zip` – The Lambda code for the security control.
+ `ELBRequirestlstermination.yml` – The CloudFormation template that sets up the event and Lambda function.
## Epics
### Set up the S3 bucket
| Task | Description | Skills required |
| --- | --- | --- |
| Define the S3 bucket. | On the [Amazon S3 console](https://console.aws.amazon.com/s3/), choose or create an S3 bucket to host the Lambda code .zip file. This S3 bucket must be in the same AWS Region as the load balancer that you want to evaluate. An S3 bucket name is globally unique, and the namespace is shared by all AWS accounts. The S3 bucket name cannot include leading slashes. | Cloud architect |
| Upload the Lambda code. | Upload the Lambda code (`ELBRequirestlstermination.zip` file) that's provided in the *Attachments *section to the S3 bucket. | Cloud architect |
### Deploy the CloudFormation template
| Task | Description | Skills required |
| --- | --- | --- |
| Launch the AWS CloudFormation template. | Open the [AWS CloudFormation console](https://console.aws.amazon.com/cloudformation/) in the same AWS Region as your S3 bucket and deploy the attached template `ELBRequirestlstermination.yml`. For more information about deploying AWS CloudFormation templates, see [Creating a stack on the AWS CloudFormation console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-create-stack.html) in the CloudFormation documentation. | Cloud architect |
| Complete the parameters in the template. | When you launch the template, you'll be prompted for the following information:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/verify-that-elb-load-balancers-require-tls-termination.html) | Cloud architect |
### Confirm the subscription
| Task | Description | Skills required |
| --- | --- | --- |
| Confirm the subscription. | When the CloudFormation template deploys successfully, it sends a subscription email to the email address you provided. You must confirm this email subscription to start receiving violation notifications. | Cloud architect |
## Related resources
+ [Creating a stack on the AWS CloudFormation console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-create-stack.html) (AWS CloudFormation documentation)
+ [What is AWS Lambda?](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) (AWS Lambda documentation)
+ [What is a Classic Load Balancer?](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/introduction.html) (ELB documentation)
+ [What is an Application Load Balancer?](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html) (ELB documentation)
## Attachments
To access additional content that is associated with this document, unzip the following file: [attachment.zip](samples/p-attach/da99cda2-ac34-4791-a2bd-d37264d8d3d9/attachments/attachment.zip)
# View AWS Network Firewall logs and metrics by using Splunk
*Ivo Pinto, Amazon Web Services*
## Summary
Many organizations use [Splunk Enterprise](https://www.splunk.com/en_us/products/splunk-enterprise.html) as a centralized aggregation and visualization tool for logs and metrics from different sources. This pattern helps you configure Splunk to fetch [AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html) logs and metrics from [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) by using the Splunk Add-On for AWS.
To achieve this, you create a read-only AWS Identity and Access Management (IAM) role. Splunk Add-On for AWS uses this role to access CloudWatch. You configure the Splunk Add-On for AWS to fetch metrics and logs from CloudWatch. Finally, you create visualizations in Splunk from the retrieved log data and metrics.
## Prerequisites and limitations
**Prerequisites**
+ A [Splunk](https://www.splunk.com/) account
+ A Splunk Enterprise instance, version 8.2.2 or later
+ An active AWS account
+ Network Firewall, [set up](https://docs.aws.amazon.com/network-firewall/latest/developerguide/getting-started.html) and [configured](https://docs.aws.amazon.com/network-firewall/latest/developerguide/logging-cw-logs.html) to send logs to CloudWatch Logs
**Limitations**
+ Splunk Enterprise must be deployed as a cluster of Amazon Elastic Compute Cloud (Amazon EC2) instances in the AWS Cloud.
+ Collecting data by using an automatically discovered IAM role for Amazon EC2 is not supported in the AWS China Regions.
## Architecture
![\[AWS Network Firewall and Splunk logging architecture\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/images/pattern-img/c6ce254a-841f-4bed-8f9f-b35e99f22e56/images/3dd420e9-70af-4a42-b24d-c54872c55e0b.png)
The diagram illustrates the following:
1. Network Firewall publishes logs to CloudWatch Logs.
1. Splunk Enterprise retrieves metrics and logs from CloudWatch.
To populate example metrics and logs in this architecture, a workload generates traffic that passes through the Network Firewall endpoint to go to the internet. This is achieved by the use of [route tables](https://docs.aws.amazon.com/network-firewall/latest/developerguide/vpc-config.html#vpc-config-route-tables). Although this pattern uses a single Amazon EC2 instance as the workload, this pattern can apply to any architecture as long as Network Firewall is configured to send logs to CloudWatch Logs.
This architecture also uses a Splunk Enterprise instance in another virtual private cloud (VPC). However, the Splunk instance can be in another location, such as in the same VPC as the workload, as long as it can reach the CloudWatch APIs.
## Tools
**AWS services**
+ [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) helps you centralize the logs from all your systems, applications, and AWS services so you can monitor them and archive them securely.
+ [Amazon Elastic Compute Cloud (Amazon EC2)](https://docs.aws.amazon.com/ec2/) provides scalable computing capacity in the AWS Cloud. You can launch as many virtual servers as you need and quickly scale them up or down.
+ [AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html) is a stateful, managed, network firewall and intrusion detection and prevention service for VPCs in the AWS Cloud.
**Other tools**
+ [Splunk](https://www.splunk.com/) helps you monitor, visualize, and analyze log data.
## Epics
### Create an IAM role
| Task | Description | Skills required |
| --- | --- | --- |
| Create the IAM policy. | Follow the instructions in [Creating policies using the JSON editor](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html#access_policies_create-json-editor) to create the IAM policy that grants read-only access to the CloudWatch Logs data and CloudWatch metrics. Paste the following policy into the JSON editor.{
"Statement": [
{
"Action": [
"cloudwatch:List*",
"cloudwatch:Get*",
"network-firewall:List*",
"logs:Describe*",
"logs:Get*",
"logs:List*",
"logs:StartQuery",
"logs:StopQuery",
"logs:TestMetricFilter",
"logs:FilterLogEvents",
"network-firewall:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
} | AWS administrator |
| Create a new IAM role. | Follow the instructions in [Creating a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) to create the IAM role that the Splunk Add-On for AWS uses to access CloudWatch. For **Permissions policies**, choose the policy that you created previously. | AWS administrator |
| Assign the IAM role to the EC2 instances in the Splunk cluster. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/view-aws-network-firewall-logs-and-metrics-by-using-splunk.html) | AWS administrator |
### Install the Splunk Add-On for AWS
| Task | Description | Skills required |
| --- | --- | --- |
| Install the add-on. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/view-aws-network-firewall-logs-and-metrics-by-using-splunk.html) | Splunk administrator |
| Configure the AWS credentials. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/view-aws-network-firewall-logs-and-metrics-by-using-splunk.html)For more information, see [Find an IAM role within your Splunk platform instance](https://splunk.github.io/splunk-add-on-for-amazon-web-services/#Find_an_IAM_role_within_your_Splunk_platform_instance) in the Splunk documentation. | Splunk administrator |
### Configure Splunk access to CloudWatch
| Task | Description | Skills required |
| --- | --- | --- |
| Configure the retrieval of Network Firewall logs from CloudWatch Logs. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/view-aws-network-firewall-logs-and-metrics-by-using-splunk.html)By default, Splunk fetches the log data every 10 minutes. This is a configurable parameter under **Advanced Settings**. For more information, see [Configure a CloudWatch Logs input using Splunk Web](https://splunk.github.io/splunk-add-on-for-amazon-web-services/#Configure_a_CloudWatch_Logs_input_using_Splunk_Web) in the Splunk documentation. | Splunk administrator |
| Configure the retrieval of Network Firewall metrics from CloudWatch. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/view-aws-network-firewall-logs-and-metrics-by-using-splunk.html)By default, Splunk fetches the metric data every 5 minutes. This is a configurable parameter under **Advanced Settings**. For more information, see [Configure a CloudWatch input using Splunk Web](https://splunk.github.io/splunk-add-on-for-amazon-web-services/#Configure_a_CloudWatch_input_using_Splunk_Web) in the Splunk documentation. | Splunk administrator |
### Create Splunk visualizations by using queries
| Task | Description | Skills required |
| --- | --- | --- |
| View the top source IP addresses. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/view-aws-network-firewall-logs-and-metrics-by-using-splunk.html) | Splunk administrator |
| View packet statistics. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/view-aws-network-firewall-logs-and-metrics-by-using-splunk.html) | Splunk administrator |
| View the most-used source ports. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/view-aws-network-firewall-logs-and-metrics-by-using-splunk.html) | Splunk administrator |
## Related resources
**AWS documentation**
+ [Creating a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) (IAM documentation)
+ [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html#access_policies_create-start) (IAM documentation)
+ [Logging and monitoring in AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/logging-monitoring.html) (Network Firewall documentation)
+ [Route table configurations for AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/route-tables.html) (Network Firewall documentation)
**AWS blog posts**
+ [AWS Network Firewall deployment models](https://aws.amazon.com/pt/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/)
**AWS Marketplace**
+ [Splunk Enterprise Amazon Machine Image (AMI)](https://aws.amazon.com/marketplace/pp/prodview-l6oos72bsyaks)
# More patterns
**Topics**
+ [Access a bastion host by using Session Manager and Amazon EC2 Instance Connect](access-a-bastion-host-by-using-session-manager-and-amazon-ec2-instance-connect.md)
+ [Access container applications privately on Amazon ECS by using AWS Fargate, AWS PrivateLink, and a Network Load Balancer](access-container-applications-privately-on-amazon-ecs-by-using-aws-fargate-aws-privatelink-and-a-network-load-balancer.md)
+ [Access container applications privately on Amazon ECS by using AWS PrivateLink and a Network Load Balancer](access-container-applications-privately-on-amazon-ecs-by-using-aws-privatelink-and-a-network-load-balancer.md)
+ [Centralize DNS resolution by using AWS Managed Microsoft AD and on-premises Microsoft Active Directory](centralize-dns-resolution-by-using-aws-managed-microsoft-ad-and-on-premises-microsoft-active-directory.md)
+ [Create a portal for micro-frontends by using AWS Amplify, Angular, and Module Federation](create-amplify-micro-frontend-portal.md)
+ [Deploy an Amazon API Gateway API on an internal website using private endpoints and an Application Load Balancer](deploy-an-amazon-api-gateway-api-on-an-internal-website-using-private-endpoints-and-an-application-load-balancer.md)
+ [Deploy detective attribute-based access controls for public subnets by using AWS Config](deploy-detective-attribute-based-access-controls-for-public-subnets-by-using-aws-config.md)
+ [Deploy preventative attribute-based access controls for public subnets](deploy-preventative-attribute-based-access-controls-for-public-subnets.md)
+ [Enable encrypted connections for PostgreSQL DB instances in Amazon RDS](enable-encrypted-connections-for-postgresql-db-instances-in-amazon-rds.md)
+ [Extend VRFs to AWS by using AWS Transit Gateway Connect](extend-vrfs-to-aws-by-using-aws-transit-gateway-connect.md)
+ [Migrate an F5 BIG-IP workload to F5 BIG-IP VE on the AWS Cloud](migrate-an-f5-big-ip-workload-to-f5-big-ip-ve-on-the-aws-cloud.md)
+ [Migrate NGINX Ingress Controllers when enabling Amazon EKS Auto Mode](migrate-nginx-ingress-controller-eks-auto-mode.md)
+ [Preserve routable IP space in multi-account VPC designs for non-workload subnets](preserve-routable-ip-space-in-multi-account-vpc-designs-for-non-workload-subnets.md)
+ [Prevent internet access at the account level by using a service control policy](prevent-internet-access-at-the-account-level-by-using-a-service-control-policy.md)
+ [Send alerts from AWS Network Firewall to a Slack channel](send-alerts-from-aws-network-firewall-to-a-slack-channel.md)
+ [Serve static content in an Amazon S3 bucket through a VPC by using Amazon CloudFront](serve-static-content-in-an-amazon-s3-bucket-through-a-vpc-by-using-amazon-cloudfront.md)
+ [Set up disaster recovery for Oracle JD Edwards EnterpriseOne with AWS Elastic Disaster Recovery](set-up-disaster-recovery-for-oracle-jd-edwards-enterpriseone-with-aws-elastic-disaster-recovery.md)
+ [Use BMC Discovery queries to extract migration data for migration planning](use-bmc-discovery-queries-to-extract-migration-data-for-migration-planning.md)
+ [Use Network Firewall to capture the DNS domain names from the Server Name Indication for outbound traffic](use-network-firewall-to-capture-the-dns-domain-names-from-the-server-name-indication-sni-for-outbound-traffic.md)